0

We have snort running on one of our servers which has a network interface that has a subnet configuration of 192.168.0.0/16 I want to enable a specific rule, for example a chat rule with the sid:2002027, to 192.168.1.0/24 but I don't want the rule be active for 192.168.2.0/24. What is the best way to achieve this?

alert tcp any 6666:7000 -> any any (msg:"ET CHAT IRC PING command"; flow:from_server,established; content:"PING|20|"; depth:5; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002027; classtype:misc-activity; sid:2002027; rev:13;)

And also, the any keyword like the one in the above rule should be limited to 192.168.1.0/24. Otherwise it would affect 192.168.2.0/24. And I am trying to automate this because we can have many subnets and many different rules for these subnets.

Any advice would be great

Alptugay
  • 1,676
  • 4
  • 22
  • 29

2 Answers2

1

You can use multiple configurations feature of snort.

Snort now supports multiple configurations based on VLAN Id or IP subnet within a single instance of Snort. This will allow administrators to specify multiple snort configuration files and bind each configuration to one or more VLANs or subnets rather than running one Snort for each configuration required. Each unique snort configuration file will create a new configuration instance within snort.

For details refer "Multiple configurations" in https://www.snort.org/documents/snort-users-manual

Jesvin George
  • 11
  • 2
0

If you just want this specific rule to match anything in the subnet 192.168.1.0/24 then just define that in the rule header. If 192.168.1.0/24 is the range for your server IPs then the header of the rule would just look something like below:

alert tcp 192.168.1.0/24 6666:7000 -> any any

If you want to use this in multiple rules and be able to add IP addresses then you should define a variable for these IP addresses and use the variable in all of your rules. For example in your snort.conf you can add something like the following:

ipvar MY_SERVERS [192.168.1.0/24]

And in all of your rules you would define the header like the following:

alert tcp $MY_SERVERS 6666:7000 -> any any

You can even encompass the entire /16 and just omit the /24 for this variable as well by doing defining the variable as follows:

ipvar MY_SERVERS [192.168.0.0/16, !192.168.2.0/24]

This would make the variable include all IP addresses with in 192.168.0.0/16 subnet with the exception of IPs that fall within the 192.168.2.0/24 subnet range.

johnjg12
  • 1,083
  • 8
  • 17