Suricata

Can you check:

"[10.10.10.0/24, !10.10.10.247/32]" 

thanks

Suricata v2.0dev

[9312] 12/8/2013 -- 14:06:03 - (detect-engine-address.c:827) <Error> (DetectAddressSetup) -- [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - failed to parse address " 10.10.10.247/32" 
[9312] 12/8/2013 -- 14:06:03 - (detect-engine-address.c:1265) <Error> (DetectAddressTestConfVars) -- [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - failed to parse address var "HOME_NET" with value "[10.10.10.0/24, !10.10.10.247/32]". Please check it's syntax
[9312] 12/8/2013 -- 14:06:03 - (suricata.c:1907) <Error> (main) -- [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - basic address vars test failed. Please check /etc/suricatagit/suricata/suricata.yaml for errors

With Suricata v1.4.5 it works fine .

It's a git version problem ?

Sorry ,

with suricata v1.4.5 it start fine but continue to check for ip that I dont want to check :(

"[10.10.10.0/24, !10.10.10.247/32]" 

https://github.com/inliniac/suricata/pull/508

Do not works :(

# /usr/suricatadev/bin/suricata -V
This is Suricata version 2.0dev (rev e2f4144)

I have tried

HOME_NET: "[10.10.10.0/24, !10.10.10.247]" 
HOME_NET: "[10.10.10.0/24, !10.10.10.247/32]" 
HOME_NET: "[10.10.10.0/24, !10.10.10.247/255.255.255.0]" 

Same error

failed to parse address

Seems fine to me.

Unittest - https://github.com/inliniac/suricata/pull/512

sorry, what is the correct syntax to check a subnet but exclude one ip ?

Thanks

Paolo,

HOME_NET: "[10.10.10.0/24, !10.10.10.247]"

But I have tried it, and does not work .

This is a part of log when I start suricata whit your suggested configuration

...
[22022] 2/9/2013 -- 09:09:44 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Landing Applet With Getmyfile.exe Payload"; flow:established,to_client; content:"<applet"; content:"value="; distance:0; content:"/getmyfile.exe?o="; distance:0; nocase; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:trojan-activity; sid:2016353; rev:3;)" from file /etc/suricatadev/suricata/rules/emerging-current_events.rules at line 3124
[22022] 2/9/2013 -- 09:09:44 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS WSO WebShell Activity POST structure 2"; flow:established,to_server; content:"POST"; http_method; content:" name=|22|c|22|"; http_client_body; content:"name=|22|p1|22|"; http_client_body; fast_pattern; pcre:"/name=(?P<q>[\x22\x27])a(?P=q)[^\r\n]*\r\n[\r\n\s]+(?:S(?:e(?:lfRemove|cInfo)|tringTools|afeMode|ql)|(?:Bruteforc|Consol)e|FilesMan|Network|Logout|Php)/Pi"; classtype:attempted-user; sid:2016354; rev:3;)" from file /etc/suricatadev/suricata/rules/emerging-current_events.rules at line 3127
[22022] 2/9/2013 -- 09:09:44 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritXPack - Landing Page - Received"; flow:established,to_client; content:"js.pd.js"; content:"|7C|applet|7C|"; classtype:trojan-activity; sid:2016356; rev:3;)" from file /etc/suricatadev/suricata/rules/emerging-current_events.rules at line 3130
[22022] 2/9/2013 -- 09:09:44 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack - URI - jpfoff.php"; flow:established,to_server; content:"/jpfoff.php?token="; http_uri; classtype:trojan-activity; sid:2016357; rev:2;)" from file /etc/suricatadev/suricata/rules/emerging-current_events.rules at line 3133
[22022] 2/9/2013 -- 09:09:44 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Exploit Kit Java jpg download"; flow:established,to_server; content:".jpg"; http_uri; pcre:"/\.jpg$/U"; content:" Java/1."; http_header; fast_pattern:only; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:trojan-activity; sid:2016371; rev:2;)" from file /etc/suricatadev/suricata/rules/emerging-current_events.rules at line 3139
....

Does it matter if you leave or not a space between the nets?

Yes, same problem .

I have the same problem as Paolo Dangeli .

[root@wcc-pt-seccheck01 suricata]# suricata -V
This is Suricata version 2.0beta1 RELEASE

I have tested the patch in [[https://github.com/inliniac/suricata/pull/508]]

Suricata report a error that like this " error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any" all the same.
I think this is not only because space ,also because in parsing "!".