Snort mailing list archives
Re: Pass Rules Questions
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 30 Jan 2003 15:47:07 -0500
First, pass rules will not affect spp_portscan2, or any other preprocessor. Pass rules affect the traffic seen by other rules. If you want to filter stuff so that the preprocessors don't see them, you'll have to do that with bpf type filtering.
Now the source of the "scan" is www.xxx.yyy.zzz.. but that's not part of your IGNORE_PORTSCAN set.
Thus, www.xxx.yyy.zzz is being reported as scanning because the pass rule does not affect preprocessors, and the source of the scan is not in your ignore set.
That said, I've been having considerable difficulty making spp_portscan2 behave in a sane manner. It fires off as detecting a "syn-ack" scan every time a web browser in my network opens a web-page with more embedded images than the port_limit in the portscan2 preprocessor is set to, somehow neglecting to pay attention to the fact that the connection was initaited from HOME_NET first. I've actually disabled portscan2 in favor of spade which is much more flexible, and reasonable about it's behavior.
At 01:22 PM 1/30/2003 -0600, Demetri Mouratis wrote:
Hello, I've got a problem with some pass rules that don't seem to be passing. Snort is v1.9.0, I'm running it on a stealth interface (eth1) connected to a monitoring port on my switch. I'd like snort to ignore traffic to and from port 25. Here are the two rules I've added to local.rules to accomplish this: pass tcp $HOME_NET 1025:65535 <> any 25 pass tcp $HOME_NET 25 <> any 1025:65535 HOME_NET is defined in snort.conf: var HOME_NET [aaa.bbb.ccc.ddd/24,eee.fff.ggg.hhh/26,iii.jjj.kkk.lll/28] Snort is invoked thusly: /usr/local/bin/snort-b -d -D -o -i eth1 -c /etc/snort/snort.conf Looking through my ACID logs: (spp_portscan2) Portscan detected from www.xxx.yyy.zzz: 1 targets 21 ports in 58 seconds 2003-01-30 13:02:34-06 SRC: www.xxx.yyy.zzz:25 DST aaa.bbb.ccc.ddd:34722 PROTO: TCP Additionally, in snort.conf, I've defined: var IGNORE_PORTSCAN $HOME_NET preprocessor portscan2-ignorehosts: $IGNORE_PORTSCAN Any guidance greatly appreciated. Thanks. --------------------------------------------------------------------- Demetri Mouratis dmourati () linfactory com ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Pass Rules Questions Demetri Mouratis (Jan 30)
- <Possible follow-ups>
- Re: Pass Rules Questions Matt Kettler (Jan 30)
- Re: Pass Rules Questions Demetri Mouratis (Jan 30)