Cees | 3 Jun 16:29 2008
Picon

ipvar: double negation should logically result in inclusion

Hi list,

This post is a follow-up on a thread on the snort-users list (http://marc.info/?l=snort-users&m=121207471707236&w=2)

When declaring variables using ipvar, it's confusing that double negation doesn't result in inclusion. For example a declaration from README.variables:

ipvar HOME_NET [1.1.1.1,2.2.2.0/24,![2.2.2.2,2.2.2.3]]

("Will match the IP 1.1.1.1 and IP from 2.2.2.0 to 2.2.2.255, with the exception of 2.2.2.2 and 2.2.2.3.")

When inverting the logic for EXTERNAL_NET:
ipvar EXTERNAL_NET !$HOME_NET

This should logically result in: "All IP addresses MINUS (1.1.1.1 and IP from 2.2.2.0 to 2.2.2.255 EXCEPT 2.2.2.2 and 2.2.2.3)", however, it is not supported:

ERROR: Undefined variable name: (/etc/snort/rules/bad-traffic.rules:27): EXTERNAL_NET

I would be really handy  declare variables like this. Is it possible to support this in future versions?

Tested with Snort version 2.8.1 with IPv6 support
Snort.conf:
--
ipvar HOME_NET [1.1.1.1,2.2.2.0/24,![2.2.2.2,2.2.2.3]]
ipvar EXTERNAL_NET !$HOME_NET
ipvar DNS_SERVERS $HOME_NET
ipvar SMTP_SERVERS $HOME_NET
ipvar HTTP_SERVERS $HOME_NET
ipvar SQL_SERVERS $HOME_NET
ipvar TELNET_SERVERS $HOME_NET
ipvar SNMP_SERVERS $HOME_NET

portvar HTTP_PORTS 80
portvar SHELLCODE_PORTS !80
portvar ORACLE_PORTS 1521
var RULE_PATH /etc/snort/rules

include classification.config
include reference.config
include $RULE_PATH/bad-traffic.rules
--

Thanks, Cees

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-devel mailing list
Snort-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Jason Brvenik | 3 Jun 18:21 2008

Re: ipvar: double negation should logically result in inclusion


> This should logically result in: "All IP addresses MINUS (1.1.1.1 
> <http://1.1.1.1> and IP from 2.2.2.0 <http://2.2.2.0> to 2.2.2.255 
> <http://2.2.2.255> EXCEPT 2.2.2.2 <http://2.2.2.2> and 2.2.2.3 
> <http://2.2.2.3>)", however, it is not supported:
> 

Why wouldn't you just define

ipvar EXTERNAL_NET [!1.1.1.1/32,!2.2.2.0/24,[2.2.2.2,2.2.2.3]]

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Jack Pepper | 3 Jun 20:58 2008

Re: ipvar: double negation should logically result in inclusion

Quoting Jason Brvenik <jasonb <at> sourcefire.com>:

>> This should logically result in: "All IP addresses MINUS (1.1.1.1
>> <http://1.1.1.1> and IP from 2.2.2.0 <http://2.2.2.0> to 2.2.2.255
>> <http://2.2.2.255> EXCEPT 2.2.2.2 <http://2.2.2.2> and 2.2.2.3
>> <http://2.2.2.3>)", however, it is not supported:
>
> Why wouldn't you just define
> ipvar EXTERNAL_NET [!1.1.1.1/32,!2.2.2.0/24,[2.2.2.2,2.2.2.3]]

You misunderstood his question.  Consider this example:

var PROXY 10.2.3.4
var EXTERNAL_NET [!10.0.0.0/8,$PROXY]

alert icmp $EXTERNAL_NET any -> 10.2.2.43 any (msg:"ICMP PING  
Calibration Test (ext - incl proxy)"; itype:8; sid:1029368;   
classtype:misc-activity; rev:6;)

alert icmp !$EXTERNAL_NET any -> 10.2.2.43 any (msg:"ICMP PING  
Calibration Test (negated)"; itype:8; sid:1029368;   
classtype:misc-activity; rev:6;)

Results in this error:
ERROR: snort.conf(13) => Negated IP ranges that are equal to or are  
more-general than non-negated ranges are not allowed. Consider  
inverting the logic: $EXTERNAL_NET.

So the more general statement of the problem is that, "Negated IP  
ranges that are equal to or are more-general than non-negated ranges  
are not allowed.".

Your example fails if any rule references "!$EXTERNAL_NET".

jp

--

-- 
Framework?  I don't need no steenking framework!

----------------------------------------------------------------
 <at> fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Cees | 4 Jun 08:49 2008
Picon

Re: ipvar: double negation should logically result in inclusion

> So the more general statement of the problem is that, "Negated IP
> ranges that are equal to or are more-general than non-negated ranges
> are not allowed.".

Yes indeed, thanks for clarifying!

>
> > Why wouldn't you just define
> > ipvar EXTERNAL_NET [!1.1.1.1/32,!2.2.2.0/24,[2.2.2.2,2.2.2.3]]
>
> Your example fails if any rule references "!$EXTERNAL_NET".

This fails, even in it's original declaration, since !2.2.2.0/24 is
more general than [2.2.2.2,2.2.2.3].

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
Jason Brvenik | 4 Jun 16:41 2008

Re: ipvar: double negation should logically result in inclusion


Jack Pepper wrote:
> Quoting Jason Brvenik <jasonb <at> sourcefire.com>:
> 
>>> This should logically result in: "All IP addresses MINUS (1.1.1.1
>>> <http://1.1.1.1> and IP from 2.2.2.0 <http://2.2.2.0> to 2.2.2.255
>>> <http://2.2.2.255> EXCEPT 2.2.2.2 <http://2.2.2.2> and 2.2.2.3
>>> <http://2.2.2.3>)", however, it is not supported:
>> Why wouldn't you just define
>> ipvar EXTERNAL_NET [!1.1.1.1/32,!2.2.2.0/24,[2.2.2.2,2.2.2.3]]
> 
> You misunderstood his question.  Consider this example:
> 
> var PROXY 10.2.3.4
> var EXTERNAL_NET [!10.0.0.0/8,$PROXY]
> 
> alert icmp $EXTERNAL_NET any -> 10.2.2.43 any (msg:"ICMP PING  
> Calibration Test (ext - incl proxy)"; itype:8; sid:1029368;   
> classtype:misc-activity; rev:6;)
> 
> alert icmp !$EXTERNAL_NET any -> 10.2.2.43 any (msg:"ICMP PING  
> Calibration Test (negated)"; itype:8; sid:1029368;   
> classtype:misc-activity; rev:6;)
> 
> Results in this error:
> ERROR: snort.conf(13) => Negated IP ranges that are equal to or are  
> more-general than non-negated ranges are not allowed. Consider  
> inverting the logic: $EXTERNAL_NET.
> 
> So the more general statement of the problem is that, "Negated IP  
> ranges that are equal to or are more-general than non-negated ranges  
> are not allowed.".

That error still makes sense since you would just leave the more general 
range out of the variable, never included, it is a redundant statement.

> 
> Your example fails if any rule references "!$EXTERNAL_NET".

We are talking about edge cases. When things like this come up my 
general response is "Don't do that"

The reality is that it is easy to tune it accordingly.

I'm failing to see a general use case for this kind of behavior, let 
alone one that offsets the potential for unintended consequence.

> 
> jp
> 
> 
> 
> 

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
renuka prasad | 5 Jun 17:35 2008
Picon

profiler for snort

hi  all

could any one if you please help me about how to go about involving in the snort project development ---

i am interested in writing a profiler( for forecasting attacks) module for snort ...

should i write it as a plugin for snort or how is that my module could be included in snort and i use that for my research

is it possible -- and in general i want to understand in depth the working of snort --- How to go about -- please help me

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Snort-devel mailing list
Snort-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Giacomo Tesio | 9 Jun 18:12 2008
Picon

React with InlineMode

Hello every body!

I'm working to integrate better sp_react.c with inline mode, since we need it in IPS mode to match a new italian law.


But I've some question:
- has react:warn ever worked? If not, can I completely drop its code (and log a warning where found in a rule)
- since block is the only basic option, can I consider the default (if not given)?
- there is some arcane reason I'm missing for fixing the tcp data size to 1024?
- where should I send the patch?

By looking at the code, I've found some easy bugs I will fix in the patch too (missing TH_ACK, the proxy modifier not working when a port is given).


I've also open a topic in the forum some days ago, but with no reply: http://www.snort.org/reg-bin/forums.cgi?forum_id=4&topic_id=6050



Ah... Thanks for your wonderful software! :-D

--
Giacomo Tesio
http://www.tesio.it

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Snort-devel mailing list
Snort-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Giacomo Tesio | 10 Jun 09:27 2008
Picon

Re: React with InlineMode

Actually I didn't know... but asking to my CEO, she said that it's to match the Decreto Gentiloni which is against the pedo-pornography.

Looking at http://www.comunicazioni.it/binary/min_comunicazioni/normativa/pedopornografia.pdf, I could understand that this law create a national center to fight against online pedophilia by collecting a black list of ip/domains.
Internet providers (like us) have to filter traffic coming from those site / ips.

To add a value to this legal due, we decided to use Snort as an IPS to protect our clients from dangerous sites.


The law said that, the users should be alerted about the forbidden content.
So we decided to correct and better integrate the react plugin.



Probably missing the right way to comunicate, I'm tring to understand who's to send patches to the code and to the documentation.

Is this list the right place?
With some of our test, we found the react a funny/ambitious hack (but with many little bug I'm fixing).
By integrating it better with the inline mode, we hope to make it really useful (and it actually will be used, at least from us)


Thanks for your help...


Giacomo Tesio

2008/6/9 Leon Ward <seclists <at> rm-rf.co.uk>:
Off topic:

What new Italian law?

Cheers

-Leon

On 9 Jun 2008, at 17:12, Giacomo Tesio wrote:

Hello every body!

I'm working to integrate better sp_react.c with inline mode, since we need it in IPS mode to match a new italian law.


But I've some question:
- has react:warn ever worked? If not, can I completely drop its code (and log a warning where found in a rule)
- since block is the only basic option, can I consider the default (if not given)?
- there is some arcane reason I'm missing for fixing the tcp data size to 1024?
- where should I send the patch?

By looking at the code, I've found some easy bugs I will fix in the patch too (missing TH_ACK, the proxy modifier not working when a port is given).


I've also open a topic in the forum some days ago, but with no reply: http://www.snort.org/reg-bin/forums.cgi?forum_id=4&topic_id=6050



Ah... Thanks for your wonderful software! :-D

--
Giacomo Tesio
http://www.tesio.it -------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php_______________________________________________
Snort-devel mailing list
Snort-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel




--
Giacomo Tesio
http://www.tesio.it
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Snort-devel mailing list
Snort-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Steven Sturges | 10 Jun 14:58 2008

Re: React with InlineMode

Hi Giacomo--

Yes, please send patches to this list.

There should be a number of developers interested to see your work,
as well as comment on additional features or recommend changes.

Cheers.
-steve

Giacomo Tesio wrote:
> Actually I didn't know... but asking to my CEO, she said that it's to match
> the Decreto Gentiloni which is against the pedo-pornography.
> 
> Looking at
> http://www.comunicazioni.it/binary/min_comunicazioni/normativa/pedopornografia.pdf,
> I could understand that this law create a national center to fight against
> online pedophilia by collecting a black list of ip/domains.
> Internet providers (like us) have to filter traffic coming from those site /
> ips.
> 
> To add a value to this legal due, we decided to use Snort as an IPS to
> protect our clients from dangerous sites.
> 
> 
> The law said that, the users should be alerted about the forbidden content.
> So we decided to correct and better integrate the react plugin.
> 
> 
> 
> Probably missing the right way to comunicate, I'm tring to understand who's
> to send patches to the code and to the documentation.
> 
> Is this list the right place?
> With some of our test, we found the react a funny/ambitious hack (but with
> many little bug I'm fixing).
> By integrating it better with the inline mode, we hope to make it really
> useful (and it actually will be used, at least from us)
> 
> 
> Thanks for your help...
> 
> 
> Giacomo Tesio
> 
> 2008/6/9 Leon Ward <seclists <at> rm-rf.co.uk>:
> 
>> Off topic:
>> What new Italian law?
>>
>> Cheers
>>
>> -Leon
>>
>> On 9 Jun 2008, at 17:12, Giacomo Tesio wrote:
>>
>> Hello every body!
>>
>> I'm working to integrate better sp_react.c with inline mode, since we need
>> it in IPS mode to match a new italian law.
>>
>>
>> But I've some question:
>> - has react:warn ever worked? If not, can I completely drop its code (and
>> log a warning where found in a rule)
>> - since block is the only basic option, can I consider the default (if not
>> given)?
>> - there is some arcane reason I'm missing for fixing the tcp data size to
>> 1024?
>> - where should I send the patch?
>>
>> By looking at the code, I've found some easy bugs I will fix in the patch
>> too (missing TH_ACK, the proxy modifier not working when a port is given).
>>
>>
>> I've also open a topic in the forum some days ago, but with no reply:
>> http://www.snort.org/reg-bin/forums.cgi?forum_id=4&topic_id=6050
>>
>>
>>
>> Ah... Thanks for your wonderful software! :-D
>>
>> --
>> Giacomo Tesio
>> http://www.tesio.it-------------------------------------------------------------------------
>> Check out the new SourceForge.net Marketplace.
>> It's the best place to buy or sell services for
>> just about anything Open Source.
>>
>> http://sourceforge.net/services/buy/index.php_______________________________________________
>> Snort-devel mailing list
>> Snort-devel <at> lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>
>>
>>
> 
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
Giacomo Tesio | 10 Jun 16:25 2008
Picon

Re: React with InlineMode

Ok...

Just another question: today reading the documentation patch (I patched the snort_manual.tex first, it's one best practice of ours) and talking about the new features with the collegue designing the "network use case" (Davide Diana, who identified the first react bug we are fixing, about the missing ACK flag in sent packets) we realized that a completely new plugin (working only with inline rules), could be a cleaner solution.

React was a funny network hack, but Inline Mode offer better solutions to block dangerous/forbidden content at all, without disclosing to the attacker/forbidden server information about the snort presence (and version).


Since it's done, we will actually send back the fixes we have done to sp_react.c (let me clean it a bit :-D), but what do you think about a new "warn" keyword available only on inline rules (drop, sdrop and reject).

Such a keyword would make snort to send a warning to the destination of the matched packet (aka the "victim").
I'd like to send different warnings to different protocols, but I have no time, so only http warnings will be implemented (but IRC warning, for example, could be quite easy to implement).


What do you think about this?

I think that such a system could be really useful in many IPS configurations.
Note that those are just ideas... If you think react is enough, let me know... :-D


Giacomo


2008/6/10, Steven Sturges <steve.sturges <at> sourcefire.com>:
Hi Giacomo--

Yes, please send patches to this list.

There should be a number of developers interested to see your work,
as well as comment on additional features or recommend changes.

Cheers.
-steve

--
Giacomo Tesio
http://www.tesio.it
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Snort-devel mailing list
Snort-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Gmane