Re: [Snort-users] Question on port lists and negation

From: Jason <security(at)brvenik.com>
Date: Tue Oct 09 2007 - 15:20:18 EDT

Matt Kettler wrote:
> Jason wrote:
>

>>> Hi Matt,
>>>
>>> Thanks for your comments.  I don't understand why these packets are
>>> "no different".  The MY_HTTP_PORTS variable includes 8000.  If I
>>> negate MY_HTTP_PORTS in my rule, why do I get an alert on
>>> 192.168.2.105:50970 -> 192.168.2.103:8000?  Is it because port 8000 in
>>> the packet is not other ports in the variable, like 80, 81, etc.?
>>
>> NOTE: I've not had a chance to look at the code, I could be wrong,
>> please verify.
>>
>> I think there may two issues working together.
>>
>> 1) not(80 and 81 and 82...) is different than (not 81 and not 81...)
>> 2) not(80 and 81 and 82...) will always be true

>
> By that same logic, [80,81,82..] aka (80 and 81 and 82) would always be
> false, which would make the syntax completely worthless.
>
> AFAIK, all the "comma" operators are OR operators, not AND. It's the
> only sensible operator to use here.
>
> so ![80,81,82..] is:
>
> not (80 or 81 or 82)
>
> and it should work the way you expect.
>
> However, with OR you have to be careful of trying to negate inside the
> brackets,
> ie: [!80,!81,!82..] would become:
>
> (not 80) or (not 81) or (not 82)
>
> which is always true...
>

I readily admit I did not put a lot of thought into it. So... Which way is it?

(80 == (80 | 80))       :       1
(80 == !(80 | 80))      :       0
!(80 == (80 | 80))      :       0
(80 == (!80 | !80))     :       0
(80 == (80 | 81))       :       0
(80 == !(80 | 81))      :       0
!(80 == (80 | 81))      :       1
(80 == (!80 | !81))     :       0
(80 == (80 & 80))       :       1
(80 == !(80 & 80))      :       0
!(80 == (80 & 80))      :       0
(80 == (!80 & !80))     :       0
(80 == (80 & 81))       :       1
(80 == !(80 & 81))      :       0
!(80 == (80 & 81))      :       0
(80 == (!80 & !81))     :       0
(80 == (80 || 80))      :       0
(80 == !(80 || 80))     :       0
!(80 == (80 || 80))     :       1
(80 == (!80 || !80))    :       0
(80 == (80 || 81))      :       0
(80 == !(80 || 81))     :       0
!(80 == (80 || 81))     :       1
(80 == (!80 || !81))    :       0
(80 == (80 && 80))      :       0
(80 == !(80 && 80))     :       0
!(80 == (80 && 80))     :       1
(80 == (!80 && !80))    :       0
(80 == (80 && 81))      :       0
(80 == !(80 && 81))     :       0
!(80 == (80 && 81))     :       1
(80 == (!80 && !81))    :       0
Do you need help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:
Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.sourceforge.net Links
amavis-user
cacti-user
nagios-users
nagiosplug-help
snort-announce
snort-cvsinfo
snort-sigs
snort-users
Request more information about Pantek






-------------------------------------------------------------------------

This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/

---

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users Received on Tue Oct 9 15:21:18 2007