Snort mailing list archives
Re: Quick Rule's Question...
From: James Hoagland <hoagland () SiliconDefense com>
Date: Wed, 6 Mar 2002 12:30:51 -0800
Hello Erek, At 11:40 AM -0800 3/6/02, Erek Adams wrote:
On Wed, 6 Mar 2002, Mark Taber wrote: [...snip...](Rule that is in the web-misc file) alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (msg:"WEB-MISC 403 Forbidden";flags: A+; content:"HTTP/1.1 403"; depth:12; classtype:attempted-recon; sid:1201; rev:2;) (Rule that I am creating) pass tcp $HTTP_SERVERS 80 -> x.x.x.x (IP Of Server on my network) (msg:"WEB-MISC 403 Forbidden";flags: A+; content:"HTTP/1.1 403"; depth:12; classtype:attempted-recon; sid:1201; rev:2;)You'll need a dst port listed on the dst side of the rule header. In this case since it picks a random port, you'll need to use "any". Since the pass function tells the parser to "stop here, I don't care about this packet", you could cut it down to: pass tcp $HTTP_SERVERS 80 -> x.x.x.x any [If I'm wrong, somene jump in and clue-ify me!]
Well, you asked...Not correct. "pass" versus "alert" versus "log" only gets considered after the rule matches on some packet. That is, the signature matching proceeds the same regardless of which of those 3 rule types is specified. The parser does not do anything special with pass rules. Just the signature matching code and then only after it finds a match. (Order of rule application is a whole other discussion.)
As you pointed out, the trimmed down pass rule above will case all traffic from $HTTP_SERVERS port 80 to x.x.x.x to be ignored (at least for the purposes of the signature matching). This is probably not what you want since this creates a sizable blind spot for you. You want to create as specific a pass rule as possible that also eliminates your false positive (or other alerts you are not interested in). In this case, it means keeping the same "()" pattern as in your original rule. (You could also make it more specific if you don't want to pass on all 403 traffic between the hosts.)
[In Erek's tradition, let me say that I'm pretty sure what I said was correct, but would appreciate being clue'd in if not. :) ]
Best regards, Jim -- |* Jim Hoagland, Associate Researcher, Silicon Defense *| |* --- Silicon Defense: IDS Solutions --- *| |* hoagland () SiliconDefense com, http://www.silicondefense.com/ *| |* Voice: (530) 756-7317 Fax: (530) 756-7297 *| _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Quick Rule's Question... Mark Taber (Mar 06)
- Re: Quick Rule's Question... James Hoagland (Mar 06)
- Re: Quick Rule's Question... Erek Adams (Mar 06)
- Re: Quick Rule's Question... James Hoagland (Mar 06)
- Re: Quick Rule's Question... Erek Adams (Mar 06)
- Re: Quick Rule's Question... James Hoagland (Mar 06)