[Snort-users] Request: Allow double negated lists (was: How to exclude one IP address from HOME_NET)
elof at ...6680...
elof at ...6680...
Wed Oct 3 05:02:46 EDT 2012
Unfortunetly, your solution fails when you have rules like this:
var HOME_NET [220.127.116.11,18.104.22.168/24,![22.214.171.124,126.96.36.199]]
var EXTERNAL_NET any
alert tcp $HOME_NET any -> !$HOME_NET 69
!$HOME_NET will expand to a negated list with negated items in it. Double
negation is not allowed --> bailout.
I have rules that must *only* match outgoing traffic from the HOME_NET to
the internet, not internal traffic from ha HOME_NET client to a HOME_NET
Like if I only want an alert when snort see a TFTP filetransfer towards
the internet, not internal TFTP transfers:
original rule: alert tcp $HOME_NET any -> $EXTERNAL_NET 69
modified rule: alert tcp $HOME_NET any -> !$HOME_NET 69
or rules like this:
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53
...will fail with:
ERROR: snort.conf(1234) Negated IP ranges that are more general than non-negated ranges are not allowed. Consider inverting the logic: !$DNS_SERVERS.
Fatal Error, Quitting..
I made a request to the snort developers, like four years ago, to fix
this and allow negated items in a negated list. I didn't get any response
if I recall correctly.
I still request this, since I use rules with !$HOME_NET, !$DNS_SERVERS,
On Mon, 1 Oct 2012, Jack Pepper wrote:
> I did not know this was available. that's a way better (and more
> inuitive) solution.
> ipvar EXAMPLE [188.8.131.52,184.108.40.206/24,![220.127.116.11,18.104.22.168]]
> On Mon, Oct 1, 2012 at 4:26 PM, Joel Esler <jesler at ...1935...> wrote:
>> On Oct 1, 2012, at 3:20 PM, Jack Pepper <pepperjack at ...14319...>
>> the subject of how to exclude one IP address from HOME_NET still comes up
>> occasionally. Usually it's a proxy server. I wrote a little program a
>> long time ago (2008?) to create a HOME_NET statement with the proxy address
>> excluded. Herewith I offer it to the public (should a done that a long
>> time ago).
>> Please see this section of the Snort Manual:
>> As it references how to exclude certain IPs within a variable.
>> Also Cc'ing the Snort-users list, as this is a Snort issue (not an
>> emerging-sigs issue) and someone may find it useful.
>> Joel Esler
>> Senior Research Engineer, VRT
>> OpenSource Community Manager
More information about the Snort-users