Snort mailing list archives

RE: home_net and ext_net question

From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Fri, 25 Apr 2003 13:27:57 -0400

Matt,  

Thank you for the clarification.  I fully understand De Morgan's theorem,
being very proficient C/C++/VB/etc. programmer, network admin, etc.  I just
didn't understand that the brackets acted like parentheses -- I thought the
brackets were only required to group multiple values together during a 'var'
assignment.  

But now I am more 'enlightened' in the parsing functionality of Snort.

Christopher


-----Original Message-----
From: Matt Kettler [mailto:mkettler () evi-inc com]
Sent: Friday, April 25, 2003 1:13 PM
To: L. Christopher Luther; 'Everist, Benjamin S. (NASWI)'
Cc: Snort-Users (E-mail)
Subject: RE: [Snort-users] home_net and ext_net question



At 12:10 PM 4/25/2003 -0400, L. Christopher Luther wrote:

It is my understanding that if you have a rule that is something like

"alert

tcp $EXTERNAL_NET any -> $HOME_NET 80 ..." you could actually get alerts
from within the 10.0.2.0 network.

Why?  Because Snort performs a first match between source address and
destination.  Therefore, a packet from 10.0.2.0/24 satisfies the
!10.0.1.0/24.

Maybe I'm mixed up here (always a good possibility), but I seem to remember
that when multiple networks are included in a rule the rule treats the
networks in an OR fashion not an AND fashion.


You're mixed up in logic.

Snort does treat comma'ed lists in an OR fashion, but because the ! is 
outside the braces it happens *after* the or is already done, making it NOT 
(A OR B). Which according do De Morgan's theorem is logically equivalent to 
(NOT A) AND (NOT B).

The "funny things" will only happen in the absence of the brackets, or if 
you try to do this common mistake:
[!a.a.a.a/24, !b.b.b.b/24]

Which is equivalent to any if a and b don't overlap.





-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

home_net and ext_net question Mike Zupan (Apr 23)
- <Possible follow-ups>
- Re: home_net and ext_net question Neil Dickey (Apr 23)
- RE: home_net and ext_net question L. Christopher Luther (Apr 23)
- RE: home_net and ext_net question Everist, Benjamin S. (NASWI) (Apr 24)
  - RE: home_net and ext_net question Matt Kettler (Apr 24)
- RE: home_net and ext_net question L. Christopher Luther (Apr 25)
- RE: home_net and ext_net question Matt Kettler (Apr 25)
- RE: home_net and ext_net question L. Christopher Luther (Apr 25)
- RE: home_net and ext_net question Neil Dickey (Apr 25)
  - RE: home_net and ext_net question Matt Kettler (Apr 25)