New rule type problem

[George Kendell <kballiaa () yahoo com>]

I have a network segment where I know exactly what traffic is supposed to traverse acrossed it.  I set up new rule 
types to pass the known allowed traffic and log everything else.  The problem I am seeing is that any allowed UDP 
traffic that was fragmented is being logged.  Is there something I am missing ? Thanks in advance.

Snort ver 1.9.1, WIN2K( I know but its what the customer wanted).

var HOME_NET [10.2.8.0/24]
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS 
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH C:/snort/rules
preprocessor frag2: memcap 8388608
preprocessor stream4_reassemble
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor bo: -nobrute
preprocessor telnet_decode
output database: log, mysql, user=snort password=snort dbname=snort host=localhost sensor_name=DCONEIDS

include c:/snort/etc/classification.config
include c:/snort/etc/reference.config

include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/local.rules

ruletype pass_allowed
{
  type pass
  output log_null
}
ruletype not_allowed
{
   type log
   output log_tcpdump: suspicious.log
   }
config order: alert pass_allowed not_allowed

pass_allowed udp 10.0.0.0/8 1024 <> 10.2.8.60 5555
pass_allowed udp 10.0.0.0/8 1024 <> 10.2.8.61 5555

pass_good udp 10.0.0.0/8 161 <> 10.2.8.50 any
pass_good udp 10.0.0.0/8 any <> 10.2.8.50 162

pass_good tcp 10.2.12.2 any <> 10.2.8.60 8080
pass_good tcp 10.2.12.3 any <> 10.2.8.60 8080
pass_good tcp 10.2.12.2 any <> 10.2.8.61 8080
pass_good tcp 10.2.12.3 any <> 10.2.8.61 8080

pass_good tcp 10.2.8.50 any <> 10.0.0.0/8 22

not_allowed ip any any <> any any (msg:"UNKNOWN TRAFFIC"; classtype:bad-unknown; rev:1;)




---------------------------------
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, and more