Snort mailing list archives
Ri: Re: rule processing.
From: "Federico" <egopfe () hotmail com>
Date: Mon, 1 Apr 2002 16:50:10 +0200
Ok, try to imagine this scenario, I need that snort generates an alert in this way: Alert from all syn patckets from 192.168.5.0/24 except 192.168.5.1, 192.168.5.31, 192.168.5.220 to all net 192.168.4.0/24 except 192.168.4.6, 192.168.4.31, 192.168.4.243 how to manage this rule ? I can act in two ways: 1) FIRST WAY var LAN [192.168.5.0/24] var DMZ [192.168.4.0/24] var no_alert_from [192.168.5.1,192.168.5.31,192.168.5.220] var no_alert_to [192.168.4.6,192.168.4.31, 192.168.4.243] so the rule can be: alert tcp from !$no_alert_from any -> !$no_alert_to any ... ... ... ... but if I do this... I generate alert from ALL NET except no_alert_from ip and no_alert_to ip .... here the problem! I can't discriminate ip in one net! from the interface that runs snort pass traffic from many nets.... not only that two ones... 2) SECOND WAY If I use the "pass" rule I get the same problem! var LAN [192.168.5.0/24] var DMZ [192.168.4.0/24] var no_alert_from [192.168.5.1,192.168.5.31,192.168.5.220] var no_alert_to [192.168.4.6,192.168.4.31, 192.168.4.243] pass tcp $no_alert_from any -> $no_alert_to any .. .. .. alert $LAN any -> $DMZ any ... ... the second rule easily generate an alert also with the pass rules!!! don't it ? Federico ----- Original Message ----- From: "Chris Green" <cmg () snort org> To: "Federico Lombardo" <egopfe () hotmail com> Cc: <snort-users () lists sourceforge net> Sent: Wednesday, March 27, 2002 1:47 PM Subject: Re: [Snort-users] rule processing.
"Federico Lombardo" <egopfe () hotmail com> writes:Is possibile with snort to make rule processing like a firewall (such as ipfilter or iptable) ? I mean this: I put some rule in insertion number rule 1 rule 2 rule 3 If the rule 2 matches the packet for its kind of connection and hosts, rule 3 is not processed.Thats how the alert system works. There are also pass rules. To get pass rules to be evaluated before the alerts, use the -o command line option. -- Chris Green <cmg () snort org> This is my signature. There are many like it but this one is mine.
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: rule processing. Chris Green (Apr 02)
- Ri: Re: rule processing. Federico (Apr 01)