Snort mailing list archives

RE: Help with pass rule

From: francisv () dagupan com
Date: Thu, 29 Aug 2002 08:23:04 +0800

Erek,

I have defined the following:

        var HOME_NET 192.168.0.0/22
        var SERVERS_NET 192.168.1.128/25
        var DIALUP_NET 192.168.1.0/25
        var EXTERNAL_NET !$HOME_NET

However, there are still things that are not clear to me. If I changed the
ordering of snort to pass->alert->log instead of alert->pass->log using
option "o", why do I still get alerts from scan proxy/socks alert even if I
allowed it to pass?

        pass tcp $EXTERNAL_NET any -> $HOME_NET 8080
        pass tcp $EXTERNAL_NET any -> $HOME_NET 3128
        pass tcp $EXTERNAL_NET any -> $HOME_NET 1080

Is it a bug or a feature?

-----Original Message-----
From: Erek Adams [mailto:erek () theadamsfamily net] 
Sent: Thursday, August 29, 2002 1:15 AM
To: francisv () dagupan com
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Help with pass rule

On Wed, 28 Aug 2002 francisv () dagupan com wrote:

I have the following line:

      preprocessor portscan-ignorehosts: $HOME_NET

in my snort.conf file. Is portscan-ignorehosts directly related to scan
attempts?


Yes.  It's part of the portscan preprocessor.  It tells the plugin what IP's
to ignore 'scans' from.  The logic of portscan is something like "If you see
over X connections to a port or multiple ports in Y seconds, then it's a
portscan."  DNS servers can set it off if it's not setup right.

You may want to change your HOME_NET and EXTERNAL_NET values, depending on
how
you see your network.  If SERVER_NET is also HOME_NET then I would define
EXTERNAL_NET as !$HOME_NET.  That would set it to every IP except your
HOME_NET.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


-------------------------------------------------------
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Help with pass rule francisv (Aug 27)
- Re: Help with pass rule Erek Adams (Aug 28)
- <Possible follow-ups>
- RE: Help with pass rule francisv (Aug 28)
  - RE: Help with pass rule Erek Adams (Aug 28)
- RE: Help with pass rule francisv (Aug 28)
  - RE: Help with pass rule Erek Adams (Aug 29)
- RE: Help with pass rule francisv (Aug 29)
  - RE: Help with pass rule Erek Adams (Aug 29)
- RE: Help with pass rule Erek Adams (Aug 29)
- RE: Help with pass rule Erek Adams (Aug 31)