-
Notifications
You must be signed in to change notification settings - Fork 43
/
README.variables
169 lines (98 loc) · 4.79 KB
/
README.variables
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
IP and Port lists
-----------------
Adam Keeton <akeeton@sourcefire.com>
Documentation last update 2007-08-08
Overview
========
The Snort configuration file allows a user to declare and use variables for
configuring Snort. Variables may contain a string (such as to be used in
a path), IPs, or ports.
NOTE: The behavior for negating IP, IP lists, and CIDR blocks has changed!
See the IP Variables and IP Lists section below for more information.
IP Variables and IP Lists
=========================
IPs may be specified individually, in a list, as a CIDR block, or any
combination of the three. IP variables should be specified using 'ipvar'
instead of 'var'. Using 'var' for an IP variable is still allowed for
backward compatibility, but it will be deprecated in a future release.
Lists of IPs or CIDR blocks must be enclosed in square brackets.
IPs, IP lists, and CIDR blocks may be negated with '!'. Negation is handled
differently compared with Snort versions 2.7.x and earlier. Previously, each
element in a list was logically OR'ed together. IP lists now OR non-negated
elements and AND the result with the OR'ed negated elements. For example:
The list:
[1.1.1.1,2.2.2.0/24,![2.2.2.2,2.2.2.3]]
Will match the IP 1.1.1.1 and IP from 2.2.2.0 to
2.2.2.255, with the exception of 2.2.2.2 and 2.2.2.3.
The order of elements in the list does not matter. The element 'any' can be
used to match all IPs, although '!any' is not allowed. Also, negated IP ranges
that are more general than non-negated IP ranges are not allowed.
Examples of valid uses of IP variables and lists:
ipvar EXAMPLE [1.1.1.1,2.2.2.0/24,![2.2.2.2,2.2.2.3]]
alert tcp $EXAMPLE any -> any any (msg:"Example"; sid:1;)
alert tcp [1.0.0.0/8,!1.1.1.0/24] any -> any any (msg:"Example";sid:2;)
Examples of invalid uses of IP variables and lists:
Use of !any:
ipvar EXAMPLE any
alert tcp !$EXAMPLE any -> any any (msg:"Example";sid:3;)
Or:
ipvar EXAMPLE !any
alert tcp $EXAMPLE any -> any any (msg:"Example";sid:3;)
Logical contradictions:
ipvar EXAMPLE [1.1.1.1,!1.1.1.1]
Nonsensical negations:
ipvar EXAMPLE [1.1.1.0/24,!1.1.0.0/16]
Port Variables and Port Lists
=============================
Portlists supports the declaration and lookup of ports and the representation
of lists and ranges of ports. Variables, ranges, or lists may all be negated
with '!'. Also, 'any' will specify any ports, but '!any' is not allowed.
Valid port ranges are from 0 to 65535.
Lists of ports must be enclosed in brackets and port ranges may be specified
with a ':', such as in:
[80:90,888:900]
Port variables should be specified using 'portvar'. The use of 'var' to
declare a port variable will be deprecated in a future release. For
backwards compatibility, a 'var' can still be used to declare a port variable,
provided the variable name either ends with '_PORT' or begins with 'PORT_'.
Examples of valid uses of port variables and port lists:
portvar EXAMPLE1 80
var EXAMPLE2_PORT [80:90]
var PORT_EXAMPLE2 [1]
portvar EXAMPLE3 any
portvar EXAMPLE4 [!70:90]
portvar EXAMPLE5 [80,91:95,100:200]
alert tcp any $EXAMPLE1 -> any $EXAMPLE2_PORT (msg:"Example"; sid:1;)
alert tcp any $PORT_EXAMPLE2 -> any any (msg:"Example"; sid:2;)
alert tcp any 90 -> any [100:1000,9999:20000] (msg:"Example"; sid:3;)
Invalid uses port variables and port lists:
Use of !any:
portvar EXAMPLE5 !any
var EXAMPLE5 !any
Logical contradictions:
portvar EXAMPLE6 [80,!80]
Ports out of range:
portvar EXAMPLE7 [65536]
Incorrect declaration and use of a port variable:
var EXAMPLE8 80
alert tcp any $EXAMPLE8 -> any any (msg:"Example"; sid:4;)
Port variable used as an IP:
alert tcp $EXAMPLE1 any -> any any (msg:"Example"; sid:5;)
Limitations
===========
When embedding variables, types can not be mixed. For instance, port
variables can be defined in terms of other port variables, but old-style
variables (with the 'var' keyword) can not be embedded inside a 'portvar'.
Valid embedded variable:
portvar pvar1 80
portvar pvar2 [$pvar1,90]
Invalid embedded variable:
var pvar1 80
portvar pvar2 [$pvar,90]
Likewise, variables can not be redefined if they were previously defined as
a different type. Instead, a different name should be used.
When defining a port variable or an IP variable, do not use a regular variable
in the definition:
Invalid definition:
var regularvar 80
portvar pvar $regularvar