Project

General

Profile

Actions

Bug #599

closed

IP Rules Failing "not" matching

Added by Digital Ninja over 10 years ago. Updated about 10 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Given a HOME_NET of 10.0.0.0/8, and the following rules:

alert ip any any -> any any (msg:"IP Match Test 1"; classtype:misc-activity; sid:2012101101;)
alert ip 10.0.0.0/8 any -> any any (msg:"IP Match Test 2"; classtype:misc-activity; sid:2012101102;)
alert ip any any -> 10.0.0.0/8 any (msg:"IP Match Test 3"; classtype:misc-activity; sid:2012101103;)
alert ip 10.0.0.0/8 any -> 10.0.0.0/8 any (msg:"IP Match Test 4"; classtype:misc-activity; sid:2012101104;)

alert ip !192.168.0.0/16 any -> any any (msg:"IP Match Test 5"; classtype:misc-activity; sid:2012101105;)
alert ip ![192.168.0.0/16] any -> any any (msg:"IP Match Test 6"; classtype:misc-activity; sid:2012101106;)
alert ip any any -> !192.168.0.0/16 any (msg:"IP Match Test 7"; classtype:misc-activity; sid:2012101107;)
alert ip any any -> ![192.168.0.0/16] any (msg:"IP Match Test 8"; classtype:misc-activity; sid:2012101108;)

alert ip 192.168.0.0/16 any -> any any (msg:"IP No Match Test 9"; classtype:misc-activity; sid:2012101109;)

Tests 1,2,3,4 & 9 work as expected, with 1-4 generating alerts and 9 not generating alerts.

Tests 5,6,7 & 8 all fail in that they should be generating alerts, but are not.

Actions #1

Updated by Victor Julien over 10 years ago

  • Status changed from New to Assigned
  • Assignee set to Anoop Saldanha
  • Target version set to 1.4beta3

Maybe the ip-only code doesn't handle negated matching very well.

Can you add unittests?

A quick fix may be to exclude rules with negated addresses from ip only, but ideally we'd just support it properly.

Actions #2

Updated by Anoop Saldanha over 10 years ago

Going for the quick fix for now.

Will add the unittests as well.

Actions #3

Updated by Anoop Saldanha over 10 years ago

[192.168.0.0/16,!192.168.1.0/24,192.168.1.1]

What would be the interpretation for this?

Is it,

192.168.0.0 - 192.168.0.255, 192.168.1.1 - 192.168.1.1, 192.168.2.0 - 192.168.255.255?

Actions #4

Updated by Victor Julien over 10 years ago

Yeah sounds right.

Actions #5

Updated by Anoop Saldanha over 10 years ago

Should

[192.168.1.0/24, ![192.168.1.10 - 192.168.1.40], 192.168.1.20 - 192.168.1.30]

be

192.168.1.0-192.168.1.9,
192.168.1.20-192.168.1.30,
192.168.1.41-192.168.1.255

or

192.168.1.0-192.168.1.9
192.168.1.41-192.168.1.255

?

Actions #6

Updated by Victor Julien about 10 years ago

  • Target version changed from 1.4beta3 to 1.4rc1
Actions #7

Updated by Anoop Saldanha about 10 years ago

  • % Done changed from 0 to 30
Actions #8

Updated by Victor Julien about 10 years ago

  • Status changed from Assigned to Closed
  • Priority changed from High to Normal
  • % Done changed from 30 to 100

Merged, thanks Anoop!

Actions #9

Updated by Anoop Saldanha about 10 years ago

  • Priority changed from Normal to High
  • Target version changed from 1.4rc1 to 1.4beta3
  • % Done changed from 100 to 0
  • Inspect the existence of this bug on 1.3x branch and fix if it exists.
Actions #10

Updated by Victor Julien about 10 years ago

  • Priority changed from High to Normal
  • Target version changed from 1.4beta3 to 1.4rc1

If the issue exists on 1.3.x as well, please open a ticket for 1.3.5.

Actions

Also available in: Atom PDF