|Main Archive Page > Month Archives > snort-users archives|
Is it possible to exclude a single IP from HOME_NET?
Imagine a network that uses the 10.0.0.0/8 range, and HOME_NET and EXTERNAL_NET are defined as follows:
var HOME_NET [10.0.0.0/8]
var EXTERNAL_NET !$HOME_NET
Now image all clients connect to the internet via a proxy server, eg 10.0.0.1. The problem arises that this setup won't detect any malware infections, since (allmost) all malware rules are written for client in HOME_NET accessing EXTERNAL_NET, eg:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Update Engine"; flow: to_server,established; content:"GET"; depth: 3; content:"Host|3a|"; within: 300; content:".1 80solutions.com"; within: 40; reference:url, www.safer-networking.org/index.php?page=threats&detail=212; classtype: trojan-activity; sid: 2000930; rev:7;)
Is there any way to exclude the proxy server from HOME_NET?
An ideal solution would be something like:
var PROXY_SERVER = [10.0.0.1]
var HOME_NET [10.0.0.0/8, !$PROXY_SERVER] var EXTERNAL_NET !$HOME_NET
However, this syntax results in an error in the sfportscan preprocessor: ERROR: snort.conf(x) => Invalid ip_list to 'watch_ip' option (snort 2.8.1)