[Snort-users] Request: Allow double negated lists (was: How to exclude one IP address from HOME_NET)

elof at ...6680... elof at ...6680...
Wed Oct 3 05:02:46 EDT 2012

Unfortunetly, your solution fails when you have rules like this:

var HOME_NET [,,![,]]
alert tcp $HOME_NET any -> !$HOME_NET 69

!$HOME_NET will expand to a negated list with negated items in it. Double 
negation is not allowed --> bailout.

I have rules that must *only* match outgoing traffic from the HOME_NET to 
the internet, not internal traffic from ha HOME_NET client to a HOME_NET 
Like if I only want an alert when snort see a TFTP filetransfer towards 
the internet, not internal TFTP transfers:

original rule: alert tcp $HOME_NET any -> $EXTERNAL_NET 69
modified rule: alert tcp $HOME_NET any -> !$HOME_NET 69

or rules like this:
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53

...will fail with:

ERROR: snort.conf(1234) Negated IP ranges that are more general than non-negated ranges are not allowed. Consider inverting the logic: !$DNS_SERVERS. 
Fatal Error, Quitting..

I made a request to the snort developers, like four years ago, to fix 
this and allow negated items in a negated list. I didn't get any response 
if I recall correctly.

I still request this, since I use rules with !$HOME_NET, !$DNS_SERVERS, 


On Mon, 1 Oct 2012, Jack Pepper wrote:

> I did not know this was available.  that's a way better (and more
> inuitive) solution.
>      ipvar EXAMPLE [,,![,]]
> jp
> On Mon, Oct 1, 2012 at 4:26 PM, Joel Esler <jesler at ...1935...> wrote:
>> On Oct 1, 2012, at 3:20 PM, Jack Pepper <pepperjack at ...14319...>
>> wrote:
>> the subject of how to exclude one IP address from HOME_NET still comes up
>> occasionally.  Usually it's a proxy server.  I wrote a little program a
>> long time ago (2008?) to create a HOME_NET statement with the proxy address
>> excluded.  Herewith I offer it to the public (should a done that a long
>> time ago).
>>      http://www.autoshun.org/exclusion.asp
>> Please see this section of the Snort Manual:
>> http://manual.snort.org/node16.html#SECTION00312000000000000000
>> As it references how to exclude certain IPs within a variable.
>> Also Cc'ing the Snort-users list, as this is a Snort issue (not an
>> emerging-sigs issue) and someone may find it useful.
>> --
>> Joel Esler
>> Senior Research Engineer, VRT
>> OpenSource Community Manager
>> Sourcefire

More information about the Snort-users mailing list