Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Negated IP Ranges

From: Joel Esler <jesler () sourcefire com>
Date: Fri, 14 Oct 2011 17:39:56 -0400
Brandon, if you want to totally ignore the IPs, I'd use either BPF, or the whitelist/blacklist preprocessor.

Try this:

ipvar HOME_NET 
[!10.20.3.129,!10.20.3.130,10.20.3.0/24,10.20.10.0/23,10.20.12.0/22,10.20.16.0/24,10.20.17.0/24,10.20.32.0/20,10.20.48.0/24,10.20.64.0/24,10.20.65.0/24,10.20.77.0/24]

Which is the inverted logic, just as Snort asks you to do.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Oct 13, 2011, at 4:42 PM, Brandon Phelps wrote:


I am trying to prevent alerts coming from 2 specific IP addresses from a subnet that I monitor.  Here are the 
appropriate snort.conf lines:

# Setup the network addresses you are protecting
ipvar HOME_NET 
[10.20.3.0/24,10.20.10.0/23,10.20.12.0/22,10.20.16.0/24,10.20.17.0/24,10.20.32.0/20,10.20.48.0/24,10.20.64.0/24,10.20.65.0/24,10.20.77.0/24,[!10.20.3.129,!10.20.3.130]]

# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET !$HOME_NET


This, to me, looks like it should work perfectly fine.  I want to monitor the 10.20.3.0/24 subnet, but not the 
specific IP addresses 10.20.3.129 or 10.20.3.130.  However when attempting to start Snort with these rules, I get 
this:

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
ERROR: /etc/snort/snort.conf(42) Negated IP ranges that are more general than non-negated ranges are not allowed. 
Consider inverting the logic in EXTERNAL_NET.
Fatal Error, Quitting..


Line 42 of snort.conf is the EXTERNAL_NET ipvar... why would this be a problem?  How would I exclude those two 
specific /32 addresses?



------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: