Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: EXTERNAL_NET var acting strange

From: Scott Nursten <scott.nursten () streetsonline co uk>
Date: Tue, 21 Aug 2001 15:22:39 +0100
Unfortunately, that doesn't take care of the 172.16.[0|16].0/24 addresses. 

Thanks for the help tho'. 

My last post had: 

![exclude],[include] - but that definitely doesn't work. So, if I want to include one (or a subnet of) address[es] in 
my EXTERNAL_NET, do I have to go:

var EXCLUDE [1.1.1.0/24,172.16.16.0/24,172.16.0.0/24]

var EXTERNAL_NET [!$EXCLUDE,1.1.1.4/32]

or what???

Scott 

John Sage wrote:


Scott:

Have you tried:

var EXTERNAL_NET !$HOME_NET

(Not wanting to get involved in the ongoing logic-syntax debate... ;-)

- John

--
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage () finchhaven com
"The web is so, like, five minutes ago..."

Scott Nursten wrote:


Hi guys,

In my conf, I have the following (obfuscated live IP's):


-----snip------
var HOME_NET 1.1.1.0/24

# Set up the external network addresses as well.
# A good start may be "any"

var EXTERNAL_NET [!1.1.1.0/24,!172.16.0.0/24,!172.16.16.0/24]
-----snip------

However, ICMP packets from 1.1.1.66 -> 1.1.1.55 get logged through the following rule:

icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP"; dsize: 0; itype: 8; 
reference:arachnids,162; classtype:attempted-recon; sid:469; rev:1;)

If I change EXTERNAL_NET to !1.1.1.0/24 (without the ['s and ,'s), it worx fine (ie. those packets don't get 
logged).

Please point out the error.

Rgds,


-- 

Scott Nursten - Systems Administrator
----------------------------------------------
ddi:   +44 (0) 1293 744 122
work:  +44 (0) 1293 402 040
fax:   +44 (0) 1293 402 050
email: scottn () streetsonline co uk
wwweb: http://www.streetsonline.co.uk
----------------------------------------------

                Any sufficiently advanced technology is indistinguishable from magic.
                                        Arthur C. Clarke

                Any technology distinguishable from magic is insufficiently advanced.
                         (Probably not) Arthur C. Clarke

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: