Home page logo
/

snort logo Snort mailing list archives

Re: Network Variables
From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 02 May 2013 15:28:05 -0400

On 5/2/2013 15:08, James Lay wrote:
Nicely done Waldo.

thank ya kindly, sir!

it's my programmer/analyst aspect that comes out at times ;)

i hope it works for seth's network in the way he wants it to... my testing 
seemed to indicate that it did WAD (Work As Desired) on my networks and servers 
while googlebot was slurping about and other traffic was flowing... i saw 
traffic to/from those networks to/from that host but none to/from port 80 of 
that host...

we really just needed to see exactly what was wanted in a clear and concise 
statement rather than generalities like we get so many times :)

James

On 2013-05-02 13:00, waldo kitty wrote:
On 5/2/2013 13:23, Seth Dunn wrote:
So now my question comes, since you were wondering about the rule I
was using.
This is my rule::
not net 10.10.0.0/24 and dst host 10.75.45.1&&   dst port 80 or not
net 10.30.0.0/24 and dst host 10.75.45.1&&   dst port 80

ok, i'm going to try to break this down and interpret your wants one
section at a time...

By my understanding, and my desire to see happen is this.
Traffic from the network 10.10.0.0/24 going to http at 10.75.45.1
should be ignored.

(net 10.10.0.0/24 and (host 10.75.45.1 and port 80))

Also, traffic from the network 10.30.0.0/24 going to http at
10.75.45.1 should be ignored.

(net 10.30.0.0/24 and (host 10.75.45.1 and port 80))

All other traffic is still monitored.

the above should qualify your two wants... now, let's streamline them
a bit to make it more legible...

first, let's combine the two source networks into one statement...

net (10.10.0.0/24 or 10.30.0.0/24)

now the destination host and destination port...

host 10.75.45.1 and port 80

then combine those two lines...

net (10.10.0.0/24 or 10.30.0.0/24) and host 10.75.45.1 and port 80

and lastly negate the whole thing by enclosing it in parens with
'not' on the outside...


not (net (10.10.0.0/24 or 10.30.0.0/24) and host 10.75.45.1 and port
80)


plug that line into your bpf with the double quotes or whatever you
need to wrap around it and see what happens ;)


FWIW: this was minimally tested on my network via tcpdump and
manually checking the pcap with wireshark...

NOTES:
1. using 'src net' and 'dst host' plus 'dst port' resulted in only
the traffic /to/ the server being ignored but all the traffic from
the server was seen...

2. removing the 'src' and 'dst' designators denotes all traffic in
both directions that fits the mask (if i can use that term to
describe this object)...

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault