Snort mailing list archives
Re: Pass Rule
From: Joseph Nuara <joe () moorecap com>
Date: Tue, 26 Nov 2002 18:03:49 -0500 (EST)
Yes it is server to server on port 53 and I am using the -o option. I tried changing port 53 to any in the dst host (as you suggested) but it still doesn't pass the traffic. I was only able to get it to pass traffic by removing the content fields (FYI both ports were 53 as reported in the alert on the ACID db console). On Tue, 26 Nov 2002, Matt Kettler wrote:
At 03:16 PM 11/26/2002 -0600, Frank Knobbe wrote:I would suggest to put any pass rules in a file called pass.rules, and load it in your snort.conf before any other rules.I'd agree with that for convenience/maintenance sake, but the order of rules in the file is not relevant to the order in which they are executed in this case. (and note that even between ordinary alert rules order is relevant, but the execution order does NOT always match the file order). Pass rules are executed completely separately from the alert rules, and without the -o they will always be executed after alerts, and with it they will always be executed before them, no matter where they exist in the files relative to the alert rules they are trying to pass around. As for the pass rule itself: pass udp xxx.xxx.xxx.xxx 53 -> xxx.xxx.xxx.xxx 53 (content:"|85800001000100000000|"; content:"|c00c000c00010000003c000f|"; ) Are you sure that BOTH the source and the dest port are 53 on the packets you are trying to pass? Most clients get DNS responses back on ports other than 53, although server-server queries are generally 53 to 53. Try this one instead, which matches the original rule better: pass udp xxx.xxx.xxx.xxx 53 -> xxx.xxx.xxx.xxx any (content:"|85800001000100000000|"; content:"|c00c000c00010000003c000f|"; ) ------------------------------------------------------- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Pass Rule Joseph Nuara (Nov 26)
- Re: Pass Rule Frank Knobbe (Nov 26)
- Re: Pass Rule Joseph Nuara (Nov 26)
- Re: Pass Rule Frank Knobbe (Nov 26)
- Re: Pass Rule Joseph Nuara (Nov 26)
- Re: Pass Rule Joseph Nuara (Nov 26)
- Re: Pass Rule Matt Kettler (Nov 26)
- Re: Pass Rule Joseph Nuara (Nov 26)
- Re: Pass Rule Erek Adams (Nov 26)
- Re: Pass Rule Frank Knobbe (Nov 26)