Project

General

Profile

Actions
Copy link

Bug #599

closed

IP Rules Failing "not" matching

Added by Digital Ninja over 11 years ago. Updated over 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Anoop Saldanha
Target version:
1.4rc1
Affected Versions:
Effort:
Difficulty:
Label:

Description

Given a HOME_NET of 10.0.0.0/8, and the following rules:

alert ip any any -> any any (msg:"IP Match Test 1"; classtype:misc-activity; sid:2012101101;)
alert ip 10.0.0.0/8 any -> any any (msg:"IP Match Test 2"; classtype:misc-activity; sid:2012101102;)
alert ip any any -> 10.0.0.0/8 any (msg:"IP Match Test 3"; classtype:misc-activity; sid:2012101103;)
alert ip 10.0.0.0/8 any -> 10.0.0.0/8 any (msg:"IP Match Test 4"; classtype:misc-activity; sid:2012101104;)

alert ip !192.168.0.0/16 any -> any any (msg:"IP Match Test 5"; classtype:misc-activity; sid:2012101105;)
alert ip ![192.168.0.0/16] any -> any any (msg:"IP Match Test 6"; classtype:misc-activity; sid:2012101106;)
alert ip any any -> !192.168.0.0/16 any (msg:"IP Match Test 7"; classtype:misc-activity; sid:2012101107;)
alert ip any any -> ![192.168.0.0/16] any (msg:"IP Match Test 8"; classtype:misc-activity; sid:2012101108;)

alert ip 192.168.0.0/16 any -> any any (msg:"IP No Match Test 9"; classtype:misc-activity; sid:2012101109;)

Tests 1,2,3,4 & 9 work as expected, with 1-4 generating alerts and 9 not generating alerts.

Tests 5,6,7 & 8 all fail in that they should be generating alerts, but are not.

Actions
Copy link

Also available in: Atom PDF