Snort mailing list archives
Re: Excluding a single IP from HOME_NET
From: Jack Pepper <pepperjack () afferentsecurity com>
Date: Fri, 30 May 2008 07:50:01 -0500
You dont need brackets on a single address: var PROXY 1.1.1.1 var HOME_NET [10.0.0.0/8,!$PROXY] var EXTERNAL_NET !$HOME_NET But anyway, this is not doable because it puts "Proxy" into "external_net" via a double negative that chokes the parser. This did not show up in your example because in the example 1.1.1.1 is not a subset of 10./8 . alert icmp any any -> 10.2.2.43 any (msg:"ICMP PING Calibration Test (any)"; itype:8; sid:1029366; classtype:misc-activity; rev:6;) alert icmp $HOME_NET any -> 10.2.2.43 any (msg:"ICMP PING Calibration Test (home)"; itype:8; sid:1029367; classtype:misc-activity; rev:6;) alert icmp $EXTERNAL_NET any -> 10.2.2.43 any (msg:"ICMP PING Calibration Test (ext - incl proxy)"; itype:8; sid:1029368; classtype:misc-activity; rev:6;) The proxy gets excluded from home_net (I tested this), but the third rule fails to compile because of the double negative. Tested on 2.8.0.1 If we change the "external net" to "[!10.0.0.0/8,$PROXY]" it still fails on the subset rule. If however we want proxy to *not be part of external_net* then we can do this: var EXTERNAL_NET !10.0.0.0/8 and every thing works just fine. Proxy ends up being not home and not external. if that's what you want. jp Quoting Cees <celzinga () gmail com>:
Thanks all. ipvars seems to be exactly what I need! I've compiled Snort with SSL support, disabled some preprocessors and rules that stopped working, but it seems kinda buggy. Some examples: # Excluding an IP that ISN'T part of the original definition ipvar HOME_NET [10.0.0.0/8,![1.1.1.1]] ipvar EXTERNAL_NET !$HOME_NET Works # Excluding an IP that IS part of the original definition ipvar HOME_NET [10.0.0.0/8,![10.1.1.1]] ipvar EXTERNAL_NET !$HOME_NET ERROR: Undefined variable name: (./attack-responses.rules:26): EXTERNAL_NET # Excluding an ipvar ipvar PROXY [1.1.1.1] ipvar HOME_NET [10.0.0.0/8,![$PROXY]] ipvar EXTERNAL_NET !$HOME_NET Segmentation fault. Also interesing, the provided sample in README.variables is invalid ipvar HOME_NET [1.1.1.1,2.2.2.0/24,![2.2.2.2,2.2.2.3]] ipvar EXTERNAL_NET !$HOME_NET ERROR: Undefined variable name: (./attack-responses.rules:26): EXTERNAL_NET Can anyone confirm this? If I'm not the only one I'll report a bug Cees (BTW Jeff, a pass rule won't work since the IDS isn't placed inline.) On Thu, May 29, 2008 at 7:30 PM, Todd Wease <twease () sourcefire com> wrote:Try var PROXY_SERVER 10.0.0.1 var HOME_NET [10.0.0.0/8,!$PROXY_SERVER<http://10.0.0.0/8,%21$PROXY_SERVER> ] var EXTERNAL_NET !$HOME_NET or try compiling with --enable-ipv6 and use 'ipvar' instead of 'var' Take a look at README.variables. Cees wrote:List, Is it possible to exclude a single IP from HOME_NET? Imagine a network that uses the 10.0.0.0/8 range, and HOME_NET and EXTERNAL_NET are defined as follows: var HOME_NET [10.0.0.0/8] var EXTERNAL_NET !$HOME_NET Now image all clients connect to the internet via a proxy server, eg 10.0.0.1. The problem arises that this setup won't detect any malware infections, since (allmost) all malware rules are written for client in HOME_NET accessing EXTERNAL_NET, eg: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Update Engine"; flow: to_server,established; content:"GET"; depth: 3; content:"Host|3a|"; within: 300; content:".1 80solutions.com"; within: 40; reference:url, www.safer-networking.org/index.php?page=threats&detail=212; classtype: trojan-activity; sid: 2000930; rev:7;) Is there any way to exclude the proxy server from HOME_NET? An ideal solution would be something like: var PROXY_SERVER = [10.0.0.1] var HOME_NET [10.0.0.0/8, !$PROXY_SERVER] var EXTERNAL_NET !$HOME_NET However, this syntax results in an error in the sfportscan preprocessor: ERROR: snort.conf(x) => Invalid ip_list to 'watch_ip' option (snort 2.8.1) Any ideas? Thanks, Cees ------------------------------------------------------------------------ ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ ------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Excluding a single IP from HOME_NET Cees (May 29)
- Re: Excluding a single IP from HOME_NET Jeff Kell (May 29)
- Re: Excluding a single IP from HOME_NET Todd Wease (May 29)
- Re: Excluding a single IP from HOME_NET Cees (May 30)
- Re: Excluding a single IP from HOME_NET Jack Pepper (May 30)
- Re: Excluding a single IP from HOME_NET Jeff Kell (May 30)
- Re: Excluding a single IP from HOME_NET Cees (May 30)
- Re: Excluding a single IP from HOME_NET Jack Pepper (May 30)
- Message not available
- Re: Excluding a single IP from HOME_NET Cees (Jun 06)
- Re: Excluding a single IP from HOME_NET Cees (May 30)