snort-users May 2008 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: [Snort-users] Excluding a single IP from HOME_NET

[Snort-users] Excluding a single IP from HOME_NET

From: Cees <celzinga_at_nospam>
Date: Thu May 29 2008 - 15:25:02 GMT
To: snort-users@lists.sourceforge.net


List,

Is it possible to exclude a single IP from HOME_NET?

Imagine a network that uses the 10.0.0.0/8 range, and HOME_NET and EXTERNAL_NET are defined as follows:

var HOME_NET [10.0.0.0/8]
var EXTERNAL_NET !$HOME_NET

Now image all clients connect to the internet via a proxy server, eg 10.0.0.1. The problem arises that this setup won't detect any malware infections, since (allmost) all malware rules are written for client in HOME_NET accessing EXTERNAL_NET, eg:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Update Engine"; flow: to_server,established; content:"GET"; depth: 3; content:"Host|3a|"; within: 300; content:".1 80solutions.com"; within: 40; reference:url, www.safer-networking.org/index.php?page=threats&detail=212; classtype: trojan-activity; sid: 2000930; rev:7;)

Is there any way to exclude the proxy server from HOME_NET?

An ideal solution would be something like: var PROXY_SERVER = [10.0.0.1]
var HOME_NET [10.0.0.0/8, !$PROXY_SERVER] var EXTERNAL_NET !$HOME_NET

However, this syntax results in an error in the sfportscan preprocessor: ERROR: snort.conf(x) => Invalid ip_list to 'watch_ip' option (snort 2.8.1)

Any ideas?

Thanks, Cees



This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/



Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users