Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Help with pass rule

From: Erek Adams <erek () theadamsfamily net>
Date: Thu, 29 Aug 2002 07:31:34 -0700 (PDT)
On Thu, 29 Aug 2002 francisv () dagupan com wrote:


I have defined the following:

      var HOME_NET 192.168.0.0/22
      var SERVERS_NET 192.168.1.128/25
      var DIALUP_NET 192.168.1.0/25
      var EXTERNAL_NET !$HOME_NET

However, there are still things that are not clear to me. If I changed the
ordering of snort to pass->alert->log instead of alert->pass->log using
option "o", why do I still get alerts from scan proxy/socks alert even if I
allowed it to pass?

      pass tcp $EXTERNAL_NET any -> $HOME_NET 8080
      pass tcp $EXTERNAL_NET any -> $HOME_NET 3128
      pass tcp $EXTERNAL_NET any -> $HOME_NET 1080

Is it a bug or a feature?


Feature.  :)

If you look you'll see that what generated those alerts isn't a rule, but a
preprocessor.  spp_portscan or spp_portscan2 aren't affected by the pass
rules.  They only use the portscan_ignorehosts config option.

If you would like to ignore this traffic and lighten the load on snort, then
use a BPF filter.  Start snort with somthing like "snort <your options> 'not
(net 192.168.1.128/25 and port 1080) and not (net 192.168.1.0/25 amd port
3128)'".  See the tcpdump man page for more info on how to write the BPF
filters.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: