OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: [Snort-users] Network Variables

From: James Lay (jlayslave-tothe-box.net)
Date: Thu May 02 2013 - 14:08:07 CDT

Nicely done Waldo.

James

On 2013-05-02 13:00, waldo kitty wrote:
> On 5/2/2013 13:23, Seth Dunn wrote:
>> So now my question comes, since you were wondering about the rule I
>> was
>> using.
>> This is my rule::
>> not net 10.10.0.0/24 and dst host 10.75.45.1&& dst port 80 or not
>> net
>> 10.30.0.0/24 and dst host 10.75.45.1&& dst port 80
>
> ok, i'm going to try to break this down and interpret your wants one
> section at
> a time...
>
>> By my understanding, and my desire to see happen is this.
>> Traffic from the network 10.10.0.0/24 going to http at 10.75.45.1
>> should
>> be ignored.
>
> (net 10.10.0.0/24 and (host 10.75.45.1 and port 80))
>
>> Also, traffic from the network 10.30.0.0/24 going to http at
>> 10.75.45.1
>> should be ignored.
>
> (net 10.30.0.0/24 and (host 10.75.45.1 and port 80))
>
>> All other traffic is still monitored.
>
> the above should qualify your two wants... now, let's streamline them
> a bit to
> make it more legible...
>
> first, let's combine the two source networks into one statement...
>
> net (10.10.0.0/24 or 10.30.0.0/24)
>
> now the destination host and destination port...
>
> host 10.75.45.1 and port 80
>
> then combine those two lines...
>
> net (10.10.0.0/24 or 10.30.0.0/24) and host 10.75.45.1 and port 80
>
> and lastly negate the whole thing by enclosing it in parens with
> 'not' on the
> outside...
>
>
> not (net (10.10.0.0/24 or 10.30.0.0/24) and host 10.75.45.1 and port
> 80)
>
>
> plug that line into your bpf with the double quotes or whatever you
> need to wrap
> around it and see what happens ;)
>
>
> FWIW: this was minimally tested on my network via tcpdump and
> manually checking
> the pcap with wireshark...
>
> NOTES:
> 1. using 'src net' and 'dst host' plus 'dst port' resulted in only
> the traffic
> /to/ the server being ignored but all the traffic from the server was
> seen...
>
> 2. removing the 'src' and 'dst' designators denotes all traffic in
> both
> directions that fits the mask (if i can use that term to describe
> this object)...
>
> --
> NOTE: No off-list assistance is given without prior approval.
> Please keep mailing list traffic on the list unless
> private contact is specifically requested and granted.
>
>
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite
> It's a free troubleshooting tool designed for production
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap2
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!