[Snort-users] Request: Allow double negated lists (was: How to exclude one IP address from HOME_NET)
pepperjack at ...14319...
Wed Oct 3 11:31:47 EDT 2012
So elof, does changing HOME_NET to this solve your request?
The above HOME_NET is the same as
On Wed, Oct 3, 2012 at 4:02 AM, <elof at ...6680...> wrote:
> Unfortunetly, your solution fails when you have rules like this:
> var HOME_NET [126.96.36.199,188.8.131.52/24,![184.108.40.206,**220.127.116.11]<http://18.104.22.168/24,!%5B22.214.171.124,126.96.36.199%5D>
> var EXTERNAL_NET any
> alert tcp $HOME_NET any -> !$HOME_NET 69
> !$HOME_NET will expand to a negated list with negated items in it. Double
> negation is not allowed --> bailout.
> I have rules that must *only* match outgoing traffic from the HOME_NET to
> the internet, not internal traffic from ha HOME_NET client to a HOME_NET
> Like if I only want an alert when snort see a TFTP filetransfer towards
> the internet, not internal TFTP transfers:
> original rule: alert tcp $HOME_NET any -> $EXTERNAL_NET 69
> modified rule: alert tcp $HOME_NET any -> !$HOME_NET 69
> or rules like this:
> alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53
> ...will fail with:
> ERROR: snort.conf(1234) Negated IP ranges that are more general than
> non-negated ranges are not allowed. Consider inverting the logic:
> !$DNS_SERVERS. Fatal Error, Quitting..
> I made a request to the snort developers, like four years ago, to fix this
> and allow negated items in a negated list. I didn't get any response if I
> recall correctly.
> I still request this, since I use rules with !$HOME_NET, !$DNS_SERVERS,
> On Mon, 1 Oct 2012, Jack Pepper wrote:
> I did not know this was available. that's a way better (and more
>> inuitive) solution.
>> ipvar EXAMPLE [188.8.131.52,184.108.40.206/24,![220.127.116.11,**18.104.22.168]<http://22.214.171.124/24,!%5B126.96.36.199,188.8.131.52%5D>
>> On Mon, Oct 1, 2012 at 4:26 PM, Joel Esler <jesler at ...1935...> wrote:
>> On Oct 1, 2012, at 3:20 PM, Jack Pepper <pepperjack at ...15853...**
>>> com <pepperjack at ...14319...>>
>>> the subject of how to exclude one IP address from HOME_NET still comes up
>>> occasionally. Usually it's a proxy server. I wrote a little program a
>>> long time ago (2008?) to create a HOME_NET statement with the proxy
>>> excluded. Herewith I offer it to the public (should a done that a long
>>> time ago).
>>> Please see this section of the Snort Manual:
>>> As it references how to exclude certain IPs within a variable.
>>> Also Cc'ing the Snort-users list, as this is a Snort issue (not an
>>> emerging-sigs issue) and someone may find it useful.
>>> Joel Esler
>>> Senior Research Engineer, VRT
>>> OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users