[Oisf-users] address-group syntax

[Michael Stone]

On Tue, Feb 07, 2017 at 09:59:52PM +0100, Andreas Herz wrote:
>On 06/02/17 at 11:27, Michael Stone wrote:
>> Is the syntax for address-groups (e.g., HOME_NET) fully described anywhere?
>> There are config file examples that suggest some syntax, but there's also a
>> todo note in detect-engine-address.c that suggests that certain forms won't
>> work properly (e.g., I think, setting HOME_NET to [!10.0.0.0/8] and
>> EXTERNAL_NET to !HOME_NET / ![!10.0.0.0/8] ?) It's certainly possible to
>> experiment, but it would be nice to know what is supposed to work and what
>> isn't.
>
>Does this part of the doc help you out?
>
>http://suricata.readthedocs.io/en/latest/rules/intro.html#source-and-destination

Not really, since it doesn't seem to reflect the comment in 
detect-engine-addresses.c:

 * \todo We don't seem to be handling negated cases, like [addr,![!addr,addr]],
 *       since we pass around negate without keeping a count of ! with depth.
 *       Can solve this by keeping a count of the negations with depth, so that
 *       an even no of negations would count as no negation and an odd no of
 *       negations would count as a negation.  

I guess the answer is that the docs should be updated to mention that 
nested negations (including nesting variables that contain negations) 
may not result in the expected behavior? In experimenting it gets to a 
point where suricata will kick out errors saying that all addresses have 
been excluded. 

Mike Stone