Snort mailing list archives

Previous By Date Next
Previous By Thread Next

SHELLCODE_PORTS & double negatives.

From: "Richmond, Ian" <RichmondIan () bfusa com>
Date: Tue, 10 Jul 2012 10:02:42 -0500
Can someone point out the error of my ways concerning SHELLCODE_PORTS please.
The default config for this per the /etc/snort.conf example file is "portvar SHELLCODE_PORTS !80"
I would like to add another port to ignore. My initial reaction was to change this to "portvar SHELLCODE_PORTS !80,!x"
This apparently is wrong and related rules still triggered on this port "x".

So I looked through the docs and found this blurb:
NOTE: The behavior for negating IP, IP lists, and CIDR blocks has changed!
This new behavior is enabled by default regardless of whether or not IPv6
support is enabled.  See the IP Variables and IP Lists section below for
more information.

As well as this:
IPs, IP lists, and CIDR blocks may be negated with '!'.  Negation is handled
differently compared with Snort versions 2.7.x and earlier.  Previously, each
element in a list was logically OR'ed together.  IP lists now OR non-negated
elements and AND the result with the OR'ed negated elements.

Which made me think that the general format should be [a,b,c],![x,y,z].
So I tried this format "portvar SHELLCODE_PORTS ![80,x]".
Snort loaded the config happily and still triggered on rules using SHELLCODE_PORTS and port x.

Is this a known bug/feature? Am I doing it wrong?
How do I negate two ports from  SHELLCODE_PORTS properly?
Thank you.


Ian

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: