ET MALWARE User-Agent (Mozilla/4.0 (compatible) SID 2008974 alerts for IP that should be negated

[Jeff]

I am seeing alerts on this rule to 216.115.208.230, even though the IP is in the negated IP ranges.

Rule:

alert http $HOME_NET any -> [!216.115.208.0/20,!216.219.112.0/20,!66.151.158.0/24,!66.151.150.160/27,!66.151.115.128/26,!64.74.80.0/24,!202.173.24.0/21,!67.217.64.0/19,!78.108.112.0/20,!68.64.0.0/19,!206.183.100.0/22,!173.199.0.0/18,!103.15.16.0/22,!180.153.30.0/23,!140.207.108.0/23,!23.239.224.0/19,!185.36.20.0/22,!8.28.150.0/24,!54.208.0.0/15,!54.248.0.0/15,!70.42.29.0/27,!72.5.190.0/24,!104.129.194.0/24,!104.129.200.0/24,!199.168.148.0/24,!199.168.151.0/24,!216.52.207.64/26,$EXTERNAL_NET] $HTTP_PORTS (msg:"ET MALWARE User-Agent (Mozilla/4.0 (compatible))"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|29 0d 0a|"; fast_pattern:18,20; http_header; content:!"citrixonline.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008974; classtype:trojan-activity; sid:2008974; rev:12;)

Any ideas on what could be causing this to alert or how to fix?

Jeff

[Shane Castle]

Umm - is $EXTERNAL_NET set to 'any'? I think this would render all the negations
null and void. Please note I am not a rule expert. The best place to ask these
questions is on the ET list.

--
Mit besten Grüßen
Shane Castle

[Shane Castle]

I looked in my Snort manual and found this:

IPs, IP lists, and CIDR blocks may be negated with ’!’. Negation is handled
differently compared with Snort versions 2.7.x and earlier. Previously, each
element in a list was logically OR’ed together. IP lists now OR non-negated
elements and AND the result with the OR’ed negated elements.

So: we get a 0 from the list just before the $EXTERNAL_NET part of the list. The
result of the entire list then depends on what's in $EXTERNAL_NET. If it's 'any'
then according to the manual it would be ANDed, which would produce a 0 for the
entire expression (IMHO). If it is something else, the negated components would
be ORed and the non-negated components would be ANDed.

If $EXTERNAL_NET is in fact 'any' then 'any' is handled differently from other
components of the IP list, incorrectly it would seem to me, and this would be a
bug, again IMHO. You might ask on the Snort list, but be sure to disclose what
you have set $EXTERNAL_NET to.