[Snort-users] Excluding a single IP from HOME_NET

Jack Pepper pepperjack at ...14319...
Fri May 30 08:50:01 EDT 2008


You dont need brackets on a single address:

var PROXY 1.1.1.1
var HOME_NET [10.0.0.0/8,!$PROXY]
var EXTERNAL_NET !$HOME_NET

But anyway, this is not doable because it puts "Proxy" into  
"external_net" via a double negative that chokes the parser.  This did  
not show up in your example because in the example 1.1.1.1 is not a  
subset of 10./8 .


alert icmp any any -> 10.2.2.43 any (msg:"ICMP PING Calibration Test  
(any)"; itype:8; sid:1029366;  classtype:misc-activity; rev:6;)
alert icmp $HOME_NET any -> 10.2.2.43 any (msg:"ICMP PING Calibration  
Test (home)"; itype:8; sid:1029367;  classtype:misc-activity; rev:6;)
alert icmp $EXTERNAL_NET any -> 10.2.2.43 any (msg:"ICMP PING  
Calibration Test (ext - incl proxy)"; itype:8; sid:1029368;   
classtype:misc-activity; rev:6;)

The proxy gets excluded from home_net (I tested this), but the third  
rule fails to compile because of the double negative. Tested on 2.8.0.1

If we change the "external net" to "[!10.0.0.0/8,$PROXY]" it still  
fails on the subset rule.

If however we want proxy to *not be part of external_net* then we can do this:

var EXTERNAL_NET !10.0.0.0/8

and every thing works just fine.  Proxy ends up being not home and not  
external.  if that's what you want.


jp



Quoting Cees <celzinga at ...11827...>:

> Thanks all.
>
> ipvars seems to be exactly what I need! I've compiled Snort with SSL
> support, disabled some preprocessors and rules that stopped working, but it
> seems kinda buggy.
>
> Some examples:
> # Excluding an IP that ISN'T part of the original definition
> ipvar HOME_NET [10.0.0.0/8,![1.1.1.1]]
> ipvar EXTERNAL_NET !$HOME_NET
>
> Works
>
> # Excluding an IP that IS part of the original definition
> ipvar HOME_NET [10.0.0.0/8,![10.1.1.1]]
> ipvar EXTERNAL_NET !$HOME_NET
>
> ERROR: Undefined variable name: (./attack-responses.rules:26): EXTERNAL_NET
>
> # Excluding an ipvar
> ipvar PROXY [1.1.1.1]
> ipvar HOME_NET [10.0.0.0/8,![$PROXY]]
> ipvar EXTERNAL_NET !$HOME_NET
>
> Segmentation fault.
>
> Also interesing, the provided sample in README.variables is invalid
> ipvar HOME_NET [1.1.1.1,2.2.2.0/24,![2.2.2.2,2.2.2.3]]
> ipvar EXTERNAL_NET !$HOME_NET
>
> ERROR: Undefined variable name: (./attack-responses.rules:26): EXTERNAL_NET
>
> Can anyone confirm this? If I'm not the only one I'll report a bug
>
> Cees
>
> (BTW Jeff, a pass rule won't work since the IDS isn't placed inline.)
>
> On Thu, May 29, 2008 at 7:30 PM, Todd Wease <twease at ...1935...> wrote:
>
>> Try
>>
>> var PROXY_SERVER 10.0.0.1
>> var HOME_NET [10.0.0.0/8,!$PROXY_SERVER<http://10.0.0.0/8,%21$PROXY_SERVER>
>> ]
>> var EXTERNAL_NET !$HOME_NET
>>
>> or try compiling with --enable-ipv6 and use 'ipvar' instead of 'var'
>>
>> Take a look at README.variables.
>>
>>
>> Cees wrote:
>>
>>> List,
>>>
>>> Is it possible to exclude a single IP from HOME_NET?
>>>
>>> Imagine a network that uses the 10.0.0.0/8 range, and HOME_NET and
>>> EXTERNAL_NET are defined as follows:
>>>
>>> var HOME_NET [10.0.0.0/8]
>>> var EXTERNAL_NET !$HOME_NET
>>>
>>> Now image all clients connect to the internet via a proxy server, eg
>>> 10.0.0.1. The problem arises that this setup won't detect any malware
>>> infections, since (allmost) all malware rules are written for client in
>>> HOME_NET accessing EXTERNAL_NET, eg:
>>>
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
>>> 180solutions Update Engine"; flow: to_server,established; content:"GET";
>>> depth: 3; content:"Host|3a|"; within: 300; content:".1
>>> 80solutions.com"; within: 40; reference:url,
>>> www.safer-networking.org/index.php?page=threats&detail=212; classtype:
>>> trojan-activity; sid: 2000930; rev:7;)
>>>
>>> Is there any way to exclude the proxy server from HOME_NET?
>>>
>>> An ideal solution would be something like:
>>> var PROXY_SERVER = [10.0.0.1]
>>> var HOME_NET [10.0.0.0/8, !$PROXY_SERVER]
>>> var EXTERNAL_NET !$HOME_NET
>>>
>>> However, this syntax results in an error in the sfportscan preprocessor:
>>> ERROR: snort.conf(x) => Invalid ip_list to 'watch_ip' option (snort 2.8.1)
>>>
>>> Any ideas?
>>>
>>> Thanks, Cees
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> -------------------------------------------------------------------------
>>> This SF.net email is sponsored by: Microsoft
>>> Defy all challenges. Microsoft(R) Visual Studio 2008.
>>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
>>
>



-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com





More information about the Snort-users mailing list