Snort mailing list archives
Re: Snort home net and external net question
From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Fri, 3 Sep 2010 13:16:32 -0600
You can do: HOME_NET [10.215.0.0/16,![10.215.40.0/24]] but you then can't do: EXTERNAL_NET !$HOME_NET If you set your EXTERNAL_NET to something besides !$HOME_NET it will work of course. I never did manage to find a way around this, and like I mentioned, I had to use multiple configs to treat a range in the middle of my home_net as external (which actually worked out much better anyway, since I could have different threshold.conf, rules, etc...) Maybe there is a way to do it effectively/easily that I wasn't told, or could figure out at the time. ________________________________ From: Andy Berryman [mailto:aberryman () Cymtec com] Sent: Friday, September 03, 2010 11:50 AM To: Joel Esler Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort home net and external net question Now that's just a crazy idea. Why would someone RTFM? Much easier to be lazy and ask. /sarcasm aside So, if I'm reading it right, I need to do something like this: HOME_NET [10.215.0.0/16,![10.215.40.0/24]] EXTERNAL_NET !$HOME_NET That would include all of the 10.215.x.x as the home net except 10.215.40.x would be excluded. So then the external net !$HOME_NET should work. But it doesn't. It's too close to holiday weekend for me to be thinking like this, brain usage stopped at 5pm Thursday. From: Joel Esler [mailto:jesler () sourcefire com] Sent: Friday, September 03, 2010 12:42 PM To: Andy Berryman Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort home net and external net question Check out README.variables in the doc/ directory of the tarball. On Sep 3, 2010, at 1:01 PM, Andy Berryman wrote: I tried that, but am getting an error. I'm running 2.8.6.0 Sep 3 16:51:33 (none) snort[18415]: FATAL ERROR: /snort/conf/general.rules(1) Negated IP ranges that are equal to or are more general than non-negated ranges are not allowed. Consider inverting the logic: $EXTERNAL_NET. var HOME_NET [10.215.0.0/16] var EXTERNAL_NET [10.215.40.0/24,!$HOME_NET] Is it b/c my home net is a /16 and the external net I'm trying to add is a /24? Thanks, Andy From: Joel Esler [mailto:jesler () sourcefire com] Sent: Friday, September 03, 2010 11:53 AM To: Andy Berryman Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] Snort home net and external net question On Sep 3, 2010, at 11:01 AM, Andy Berryman wrote: If I have my home net of snort set to: var HOME_NET [10.215.0.0/16] How can I make my external net be !$HOME_NET and 10.215.40.0/24 subnet? With recent versions of Snort, you can do positives and negatives in the same variable, but the more specific entry needs to come first. var HOME_NET [10.215.0.0/16] var EXTERNAL_NET [10.216.40.0/16,!$HOME_NET] Should work. Joel ________________________________ This message from Cymtec Systems, Inc. contains confidential information and is solely for the use of the recipient(s) named above. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this message in error and that any review, disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error, please destroy it immediately and notify Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail. ________________________________ ________________________________ This message from Cymtec Systems, Inc. contains confidential information and is solely for the use of the recipient(s) named above. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this message in error and that any review, disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error, please destroy it immediately and notify Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail. ________________________________
------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort home net and external net question Andy Berryman (Sep 03)
- Re: Snort home net and external net question Jefferson, Shawn (Sep 03)
- Re: Snort home net and external net question waldo kitty (Sep 03)
- Re: Snort home net and external net question Joel Esler (Sep 03)
- Re: Snort home net and external net question Andy Berryman (Sep 03)
- Re: Snort home net and external net question waldo kitty (Sep 03)
- Re: Snort home net and external net question Joel Esler (Sep 03)
- Re: Snort home net and external net question Andy Berryman (Sep 03)
- Re: Snort home net and external net question Jefferson, Shawn (Sep 03)
- Re: Snort home net and external net question waldo kitty (Sep 03)
- Re: Snort home net and external net question waldo kitty (Sep 03)
- Re: Snort home net and external net question Andy Berryman (Sep 03)
- Re: Snort home net and external net question waldo kitty (Sep 03)
- Re: Snort home net and external net question Joel Esler (Sep 04)
- Re: Snort home net and external net question waldo kitty (Sep 04)
- Re: Snort home net and external net question Jason Wallace (Sep 03)
- Re: Snort home net and external net question waldo kitty (Sep 03)