[Snort-users] Request: Allow double negated lists (was: How to exclude one IP address from HOME_NET)

Jack Pepper pepperjack at ...14319...
Wed Oct 3 11:31:47 EDT 2012


So elof, does changing HOME_NET to this solve your request?

HOME_NET=[1.1.1.1,2.128.0.0/9,2.64.0.0/10,2.32.0.0/11,2.16.0.0/12,2.8.0.0/13,2.4.0.0/14,2.0.0.0/15,2.3.0.0/16,2.2.128.0/17,2.2.64.0/18,2.2.32.0/19,2.2.16.0/20,2.2.8.0/21,2.2.4.0/22,2.2.0.0/23,2.2.3.0/24,2.2.2.128/25,2.2.2.64/26,2.2.2.32/27,2.2.2.16/28,2.2.2.8/29,2.2.2.4/30,2.2.2.0/31]


The above HOME_NET is the same as
[1.1.1.1,2.2.2.0/24,![2.2.2.2,2.2.2.3]<http://2.2.2.0/24,%21%5B2.2.2.2,2.2.2.3%5D>],
right?





On Wed, Oct 3, 2012 at 4:02 AM, <elof at ...6680...> wrote:

>
> Unfortunetly, your solution fails when you have rules like this:
>
> var HOME_NET [1.1.1.1,2.2.2.0/24,![2.2.2.2,**2.2.2.3]<http://2.2.2.0/24,!%5B2.2.2.2,2.2.2.3%5D>
> ]
> var EXTERNAL_NET any
> alert tcp $HOME_NET any -> !$HOME_NET 69
>
> !$HOME_NET will expand to a negated list with negated items in it. Double
> negation is not allowed --> bailout.
>
>
> Example:
> I have rules that must *only* match outgoing traffic from the HOME_NET to
> the internet, not internal traffic from ha HOME_NET client to a HOME_NET
> server.
> Like if I only want an alert when snort see a TFTP filetransfer towards
> the internet, not internal TFTP transfers:
>
> original rule: alert tcp $HOME_NET any -> $EXTERNAL_NET 69
> modified rule: alert tcp $HOME_NET any -> !$HOME_NET 69
>
> or rules like this:
> alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53
>
> ...will fail with:
>
> ERROR: snort.conf(1234) Negated IP ranges that are more general than
> non-negated ranges are not allowed. Consider inverting the logic:
> !$DNS_SERVERS. Fatal Error, Quitting..
>
>
>
> I made a request to the snort developers, like four years ago, to fix this
> and allow negated items in a negated list. I didn't get any response if I
> recall correctly.
>
> I still request this, since I use rules with !$HOME_NET, !$DNS_SERVERS,
> etc.
>
> /Elof
>
>
>
> On Mon, 1 Oct 2012, Jack Pepper wrote:
>
>  I did not know this was available.  that's a way better (and more
>> inuitive) solution.
>>      ipvar EXAMPLE [1.1.1.1,2.2.2.0/24,![2.2.2.2,**2.2.2.3]<http://2.2.2.0/24,!%5B2.2.2.2,2.2.2.3%5D>
>> ]
>>
>> jp
>>
>> On Mon, Oct 1, 2012 at 4:26 PM, Joel Esler <jesler at ...1935...> wrote:
>>
>>  On Oct 1, 2012, at 3:20 PM, Jack Pepper <pepperjack at ...15853...**
>>> com <pepperjack at ...14319...>>
>>> wrote:
>>>
>>> the subject of how to exclude one IP address from HOME_NET still comes up
>>> occasionally.  Usually it's a proxy server.  I wrote a little program a
>>> long time ago (2008?) to create a HOME_NET statement with the proxy
>>> address
>>> excluded.  Herewith I offer it to the public (should a done that a long
>>> time ago).
>>>      http://www.autoshun.org/**exclusion.asp<http://www.autoshun.org/exclusion.asp>
>>>
>>>
>>> Please see this section of the Snort Manual:
>>>
>>> http://manual.snort.org/**node16.html#**SECTION00312000000000000000<http://manual.snort.org/node16.html#SECTION00312000000000000000>
>>>
>>> As it references how to exclude certain IPs within a variable.
>>>
>>> Also Cc'ing the Snort-users list, as this is a Snort issue (not an
>>> emerging-sigs issue) and someone may find it useful.
>>>
>>> --
>>> Joel Esler
>>> Senior Research Engineer, VRT
>>> OpenSource Community Manager
>>> Sourcefire
>>>
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121003/805757f1/attachment.html>


More information about the Snort-users mailing list