[Snort-users] Excluding a single IP from HOME_NET

Todd Wease twease at ...1935...
Thu May 29 13:30:09 EDT 2008


Try

var PROXY_SERVER 10.0.0.1
var HOME_NET [10.0.0.0/8,!$PROXY_SERVER]
var EXTERNAL_NET !$HOME_NET

or try compiling with --enable-ipv6 and use 'ipvar' instead of 'var'

Take a look at README.variables.


Cees wrote:
> List,
> 
> Is it possible to exclude a single IP from HOME_NET?
> 
> Imagine a network that uses the 10.0.0.0/8 range, and HOME_NET and
> EXTERNAL_NET are defined as follows:
> 
> var HOME_NET [10.0.0.0/8]
> var EXTERNAL_NET !$HOME_NET
> 
> Now image all clients connect to the internet via a proxy server, eg
> 10.0.0.1. The problem arises that this setup won't detect any malware
> infections, since (allmost) all malware rules are written for client in
> HOME_NET accessing EXTERNAL_NET, eg:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
> 180solutions Update Engine"; flow: to_server,established; content:"GET";
> depth: 3; content:"Host|3a|"; within: 300; content:".1
> 80solutions.com"; within: 40; reference:url,
> www.safer-networking.org/index.php?page=threats&detail=212; classtype:
> trojan-activity; sid: 2000930; rev:7;)
> 
> Is there any way to exclude the proxy server from HOME_NET?
> 
> An ideal solution would be something like:
> var PROXY_SERVER = [10.0.0.1]
> var HOME_NET [10.0.0.0/8, !$PROXY_SERVER]
> var EXTERNAL_NET !$HOME_NET
> 
> However, this syntax results in an error in the sfportscan preprocessor:
> ERROR: snort.conf(x) => Invalid ip_list to 'watch_ip' option (snort 2.8.1)
> 
> Any ideas?
> 
> Thanks, Cees
> 
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list