Snort mailing list archives
RE: catch all rule
From: Frank Knobbe <FKnobbe () KnobbeITS com>
Date: Mon, 18 Jun 2001 22:24:21 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Uhm, how about running two instances of snort with different configurations? One instance can monitor only the web traffic and alert on exploits, the other can ignore web traffic and you can use your catch-all rule in there. It would be nice to have a rules checking priority system... wasn't there talk about that for 1.8? If not, here's the suggestion :) Until then, running multiple instances will solve the problem. Regards, Frank
-----Original Message----- From: barre [mailto:barre () chello be] Sent: Tuesday, June 18, 2002 2:18 AM To: snort-users () lists sourceforge net In the following example , I want to protect my dmz and will make a "alert" rule for all traffic from and to my dmz. alert any any any -> any any (msg: \"tcp dmz traffic";) But in this case, alerts will be generated when people access my webserver. So I make this nice pass rule to grant access to my webserver. pass tcp !MY_NET any -> webserver 80 Because this pass rule is applied below the alert rule, I have to use the -o option, to make sure that this previous rule makes an exception to the other rules. But in this scenario, I don't check the content of the pass rule for malicious traffic using the other alert rules. But if I delete the pass rule, it triggers the "catch all other traffic" rule. Therefor: is there an other way to implement a "catch all traffic" rule? Using this rule, you can write rules for all allowed traffic , and alert for all non-defined traffic. All other signatures (http malicious traffic for example) will still be applied to all traffic, even if they are in the pass or catch all rules.
-----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 Comment: PGP or S/MIME encrypted email preferred. iQA/AwUBOy7F5ZytSsEygtEFEQJDqwCgg2DN/16o+EXevnlYm8zS/XfjNY8An3B1 6f1AePgiMsgUDPQRGctPzG9d =cIVQ -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- catch all rule barre (Jun 18)
- Re: catch all rule Vitaly Osipov (Jun 19)
- <Possible follow-ups>
- RE: catch all rule Frank Knobbe (Jun 18)
- RE: catch all rule Graham M Locke (Jun 19)