[Snort-users] Excluding a single IP from HOME_NET

Cees celzinga at ...11827...
Fri May 30 08:11:38 EDT 2008


Thanks all.

ipvars seems to be exactly what I need! I've compiled Snort with SSL
support, disabled some preprocessors and rules that stopped working, but it
seems kinda buggy.

Some examples:
# Excluding an IP that ISN'T part of the original definition
ipvar HOME_NET [10.0.0.0/8,![1.1.1.1]]
ipvar EXTERNAL_NET !$HOME_NET

Works

# Excluding an IP that IS part of the original definition
ipvar HOME_NET [10.0.0.0/8,![10.1.1.1]]
ipvar EXTERNAL_NET !$HOME_NET

ERROR: Undefined variable name: (./attack-responses.rules:26): EXTERNAL_NET

# Excluding an ipvar
ipvar PROXY [1.1.1.1]
ipvar HOME_NET [10.0.0.0/8,![$PROXY]]
ipvar EXTERNAL_NET !$HOME_NET

Segmentation fault.

Also interesing, the provided sample in README.variables is invalid
ipvar HOME_NET [1.1.1.1,2.2.2.0/24,![2.2.2.2,2.2.2.3]]
ipvar EXTERNAL_NET !$HOME_NET

ERROR: Undefined variable name: (./attack-responses.rules:26): EXTERNAL_NET

Can anyone confirm this? If I'm not the only one I'll report a bug

Cees

(BTW Jeff, a pass rule won't work since the IDS isn't placed inline.)

On Thu, May 29, 2008 at 7:30 PM, Todd Wease <twease at ...1935...> wrote:

> Try
>
> var PROXY_SERVER 10.0.0.1
> var HOME_NET [10.0.0.0/8,!$PROXY_SERVER<http://10.0.0.0/8,%21$PROXY_SERVER>
> ]
> var EXTERNAL_NET !$HOME_NET
>
> or try compiling with --enable-ipv6 and use 'ipvar' instead of 'var'
>
> Take a look at README.variables.
>
>
> Cees wrote:
>
>> List,
>>
>> Is it possible to exclude a single IP from HOME_NET?
>>
>> Imagine a network that uses the 10.0.0.0/8 range, and HOME_NET and
>> EXTERNAL_NET are defined as follows:
>>
>> var HOME_NET [10.0.0.0/8]
>> var EXTERNAL_NET !$HOME_NET
>>
>> Now image all clients connect to the internet via a proxy server, eg
>> 10.0.0.1. The problem arises that this setup won't detect any malware
>> infections, since (allmost) all malware rules are written for client in
>> HOME_NET accessing EXTERNAL_NET, eg:
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
>> 180solutions Update Engine"; flow: to_server,established; content:"GET";
>> depth: 3; content:"Host|3a|"; within: 300; content:".1
>> 80solutions.com"; within: 40; reference:url,
>> www.safer-networking.org/index.php?page=threats&detail=212; classtype:
>> trojan-activity; sid: 2000930; rev:7;)
>>
>> Is there any way to exclude the proxy server from HOME_NET?
>>
>> An ideal solution would be something like:
>> var PROXY_SERVER = [10.0.0.1]
>> var HOME_NET [10.0.0.0/8, !$PROXY_SERVER]
>> var EXTERNAL_NET !$HOME_NET
>>
>> However, this syntax results in an error in the sfportscan preprocessor:
>> ERROR: snort.conf(x) => Invalid ip_list to 'watch_ip' option (snort 2.8.1)
>>
>> Any ideas?
>>
>> Thanks, Cees
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Microsoft
>> Defy all challenges. Microsoft(R) Visual Studio 2008.
>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080530/64b39af0/attachment.html>


More information about the Snort-users mailing list