When writing custom IPS rules, can I use variables?

Yes, we provide administrators access to variables. These variables are used in rules to specify criteria for the source and destination of a packet. The most important variable is $HOME_NET$HOME_NET defines the network or networks you are trying to protect. Under no circumstance should you change or delete the default variables - you can add exceptions, but only if you are very familiar with them. Learn more about IPS variables in the Untangle Wiki.

Follow
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

8 comments

Please sign in to leave a comment.

  • Avatar
    Robert Townley

    Please provide an example of a variable that contains a list of IP addresses and subnets.

  • Avatar
    Tiffany

    Robert,
    I am not sure what you are looking for exactly. It might be best if you open a ticket with support so that we can get into more specifics of what you are looking for and where you can find it.

  • Avatar
    Chris Blaise

    An example of a variable with IP addresses and subnets would be a CIDR separated list inside brackets like this:
    [192.168.1.0/24,192.168.2.0/24,1.2.3.4/32]

  • Avatar
    Robert Townley

    Yes, that is part of the JSON configuration file syntax, but what is the syntax for the untangle GUI? Do you include the square brackets when using the untangle web interface?

    If the IP addresses are a list of standalone IPs (single IP address to WhiteList), do you still have to have forward slash? If so, some systems work with /31, others /32, what does untangle expect?

    Where is the file or $envVar that defines the preexisting IP addresses? That way i could make sure it looks just like that.

  • Avatar
    Robert Townley

    Yes, that is part of the JSON configuration file syntax, but what is the syntax for the untangle GUI? Do you include the square brackets when using the untangle web interface?

    If the IP addresses are a list of standalone IPs (single IP address to WhiteList), do you still have to have forward slash? If so, some systems work with /31, others /32, what does untangle expect?

    Where is the file or $envVar that defines the preexisting IP addresses? That way i could make sure it looks just like that.

  • Avatar
    Chris Blaise

    The Suricata syntax is what we allow in the UI so the brackets work.
    I believe the /32 for single hosts is optional.
    The variable with the existing IP addresses is HOME_NET.

  • Avatar
    Robert Townley

    Put the brackets back in without /32, but IPS still blocks $EXTERNAL_WHITELIST. All the WhiteList signatures are in GROUP ID 777, but it is not found in reporting, so there must be something else misconfigured.

    In regards to $HOME_NET, i am asking where exactly is it defined? If i could see that, then I would copy that syntax. .

  • Avatar
    Robert Townley

    I forgot I had already found that.
    cat /etc/suricata/suricata.yaml | egrep '(HOME)'
    HOME_NET: '[184.178.41.128/28,192.168.8.0/24]'

    So next is to try /31 and /32.

Powered by Zendesk