Le lundi 10 septembre 2007 22:06, vous avez écrit :
Thierry CHICH wrote:
I would adapt the rules
BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack
to my network. Since I have a lot of RFC1918 computers that are not in my
HOME_NET, I have a lot of FP.
I try the following method. I had the following variables in
the /etc/snort/snort.conf:
var RFC1918 [192.168/16,172.16/12,10/8]
var INTERNET !$RFC1918
I modify the rules as :
alert tcp $INTERNET 53 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT
EVENTS
But it doesn't work.
Thanks to Joel (and to an anonymous french guy :)). It seems to work if I
write the variable as :
var RFC1918 [192.168.0.0/16,172.16.0.0/12,10.0.0.0/8]
I am a little bit dubious.
I have written my HOME_NET as
var HOME_NET [192.168.18/24,192.168.22/24,172.23.230/20,172.12.240/20]
and it doesn't seem to bother snort.
Hi Thierry,
Which version of Snort?
snort 2.6
When you say that it doesn't work, do you mean that Snort is still
throwing false positives after making your change?
I had a lot of false positives. Even more than before having modify the rule.
EXTERNAL_NET didn't contain my HOME_NET !
In 2.7 and earlier, doing ![192.168/16,172.16/12,10/8] should exclude
each of those address blocks correctly. Though, do note, if you
actually wrote: [!192.168/16,!172.16/12,!10/8], it will match any IP
since the comma is treated as a logical OR (In 2.8, the behavior is now
to treat each comma separated IP as an AND).
Thanks to your answer. I think I will try snort 2.8 when it become stable, an
dI will be sure that I can use the flexresp2.
Thierry
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
