Re: Excluding a single IP from HOME_NET

[Jack Pepper <pepperjack () afferentsecurity com>]

You dont need brackets on a single address:

var PROXY 1.1.1.1
var HOME_NET [10.0.0.0/8,!$PROXY]
var EXTERNAL_NET !$HOME_NET

But anyway, this is not doable because it puts "Proxy" into  
"external_net" via a double negative that chokes the parser.  This did  
not show up in your example because in the example 1.1.1.1 is not a  
subset of 10./8 .


alert icmp any any -> 10.2.2.43 any (msg:"ICMP PING Calibration Test  
(any)"; itype:8; sid:1029366;  classtype:misc-activity; rev:6;)
alert icmp $HOME_NET any -> 10.2.2.43 any (msg:"ICMP PING Calibration  
Test (home)"; itype:8; sid:1029367;  classtype:misc-activity; rev:6;)
alert icmp $EXTERNAL_NET any -> 10.2.2.43 any (msg:"ICMP PING  
Calibration Test (ext - incl proxy)"; itype:8; sid:1029368;   
classtype:misc-activity; rev:6;)

The proxy gets excluded from home_net (I tested this), but the third  
rule fails to compile because of the double negative. Tested on 2.8.0.1

If we change the "external net" to "[!10.0.0.0/8,$PROXY]" it still  
fails on the subset rule.

If however we want proxy to *not be part of external_net* then we can do this:

var EXTERNAL_NET !10.0.0.0/8

and every thing works just fine.  Proxy ends up being not home and not  
external.  if that's what you want.


jp



Quoting Cees <celzinga () gmail com>:

> Thanks all.
>
> ipvars seems to be exactly what I need! I've compiled Snort with SSL
> support, disabled some preprocessors and rules that stopped working, but it
> seems kinda buggy.
>
> Some examples:
> # Excluding an IP that ISN'T part of the original definition
> ipvar HOME_NET [10.0.0.0/8,![1.1.1.1]]
> ipvar EXTERNAL_NET !$HOME_NET
>
> Works
>
> # Excluding an IP that IS part of the original definition
> ipvar HOME_NET [10.0.0.0/8,![10.1.1.1]]
> ipvar EXTERNAL_NET !$HOME_NET
>
> ERROR: Undefined variable name: (./attack-responses.rules:26): EXTERNAL_NET
>
> # Excluding an ipvar
> ipvar PROXY [1.1.1.1]
> ipvar HOME_NET [10.0.0.0/8,![$PROXY]]
> ipvar EXTERNAL_NET !$HOME_NET
>
> Segmentation fault.
>
> Also interesing, the provided sample in README.variables is invalid
> ipvar HOME_NET [1.1.1.1,2.2.2.0/24,![2.2.2.2,2.2.2.3]]
> ipvar EXTERNAL_NET !$HOME_NET
>
> ERROR: Undefined variable name: (./attack-responses.rules:26): EXTERNAL_NET
>
> Can anyone confirm this? If I'm not the only one I'll report a bug
>
> Cees
>
> (BTW Jeff, a pass rule won't work since the IDS isn't placed inline.)
>
> On Thu, May 29, 2008 at 7:30 PM, Todd Wease <twease () sourcefire com> wrote:
>
> > Try
> >
> > var PROXY_SERVER 10.0.0.1
> > var HOME_NET [10.0.0.0/8,!$PROXY_SERVER<http://10.0.0.0/8,%21$PROXY_SERVER>
> > ]
> > var EXTERNAL_NET !$HOME_NET
> >
> > or try compiling with --enable-ipv6 and use 'ipvar' instead of 'var'
> >
> > Take a look at README.variables.
> >
> >
> > Cees wrote:
> >
> > > List,
> > >
> > > Is it possible to exclude a single IP from HOME_NET?
> > >
> > > Imagine a network that uses the 10.0.0.0/8 range, and HOME_NET and
> > > EXTERNAL_NET are defined as follows:
> > >
> > > var HOME_NET [10.0.0.0/8]
> > > var EXTERNAL_NET !$HOME_NET
> > >
> > > Now image all clients connect to the internet via a proxy server, eg
> > > 10.0.0.1. The problem arises that this setup won't detect any malware
> > > infections, since (allmost) all malware rules are written for client in
> > > HOME_NET accessing EXTERNAL_NET, eg:
> > >
> > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
> > > 180solutions Update Engine"; flow: to_server,established; content:"GET";
> > > depth: 3; content:"Host|3a|"; within: 300; content:".1
> > > 80solutions.com"; within: 40; reference:url,
> > > www.safer-networking.org/index.php?page=threats&detail=212; classtype:
> > > trojan-activity; sid: 2000930; rev:7;)
> > >
> > > Is there any way to exclude the proxy server from HOME_NET?
> > >
> > > An ideal solution would be something like:
> > > var PROXY_SERVER = [10.0.0.1]
> > > var HOME_NET [10.0.0.0/8, !$PROXY_SERVER]
> > > var EXTERNAL_NET !$HOME_NET
> > >
> > > However, this syntax results in an error in the sfportscan preprocessor:
> > > ERROR: snort.conf(x) => Invalid ip_list to 'watch_ip' option (snort 2.8.1)
> > >
> > > Any ideas?
> > >
> > > Thanks, Cees
> > >
> > >
> > >
> > > ------------------------------------------------------------------------
> > >
> > > -------------------------------------------------------------------------
> > > This SF.net email is sponsored by: Microsoft
> > > Defy all challenges. Microsoft(R) Visual Studio 2008.
> > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> > >
> > >
> > > ------------------------------------------------------------------------
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users



-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users