Snort mailing list archives
New rule type problem
From: George Kendell <kballiaa () yahoo com>
Date: Mon, 10 Mar 2003 10:26:20 -0800 (PST)
I have a network segment where I know exactly what traffic is supposed to traverse acrossed it. I set up new rule types to pass the known allowed traffic and log everything else. The problem I am seeing is that any allowed UDP traffic that was fragmented is being logged. Is there something I am missing ? Thanks in advance. Snort ver 1.9.1, WIN2K( I know but its what the customer wanted). var HOME_NET [10.2.8.0/24] var EXTERNAL_NET !$HOME_NET var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] var RULE_PATH C:/snort/rules preprocessor frag2: memcap 8388608 preprocessor stream4_reassemble preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace preprocessor rpc_decode: 111 32771 preprocessor bo: -nobrute preprocessor telnet_decode output database: log, mysql, user=snort password=snort dbname=snort host=localhost sensor_name=DCONEIDS include c:/snort/etc/classification.config include c:/snort/etc/reference.config include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop3.rules include $RULE_PATH/pop2.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/experimental.rules include $RULE_PATH/local.rules ruletype pass_allowed { type pass output log_null } ruletype not_allowed { type log output log_tcpdump: suspicious.log } config order: alert pass_allowed not_allowed pass_allowed udp 10.0.0.0/8 1024 <> 10.2.8.60 5555 pass_allowed udp 10.0.0.0/8 1024 <> 10.2.8.61 5555 pass_good udp 10.0.0.0/8 161 <> 10.2.8.50 any pass_good udp 10.0.0.0/8 any <> 10.2.8.50 162 pass_good tcp 10.2.12.2 any <> 10.2.8.60 8080 pass_good tcp 10.2.12.3 any <> 10.2.8.60 8080 pass_good tcp 10.2.12.2 any <> 10.2.8.61 8080 pass_good tcp 10.2.12.3 any <> 10.2.8.61 8080 pass_good tcp 10.2.8.50 any <> 10.0.0.0/8 22 not_allowed ip any any <> any any (msg:"UNKNOWN TRAFFIC"; classtype:bad-unknown; rev:1;) --------------------------------- Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, and more
Current thread:
- New rule type problem George Kendell (Mar 10)
- <Possible follow-ups>
- New rule type problem George Kendell (Mar 10)