RE: Pass rule sometimes does not work

["Hess, Ben" <ben.hess () techalliancegroup com>]

I read the FAQ and the question that I have is how does it determine the
order in which the OTNs are placed? Just for reference below are the rules I
am working on.

var CALENDAR [10.100.4.25,10.100.4.27,10.100.4.24]
pass tcp $EXTERNAL_NET any -> $CALENDAR $HTTP_PORTS ( sid: 1000005; rev: 2;
msg: "WEB-CGI calendar access"; flow: to_server,established;  uricontent:
"/calendar"; nocase;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( sid: 882; rev: 4;
msg: "WEB-CGI calendar access"; flow: to_server,established; uricontent:
"/calendar"; nocase; classtype: attempted-recon;)

-----Original Message-----
From: Erick Mechler [mailto:emechler () techometer net]
Sent: Tuesday, January 14, 2003 9:30 AM
To: Hess, Ben
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Pass rule sometimes does not work


:: I have a web server that allows use of the CGI calendar feature on some
of
:: the web sites. I wrote a pass rule that should allow the traffic to not
be
:: picked up but every so often I get an alert from one of the allowed
:: addresses. Does anyone know where I should look to troubleshoot this
issue?

Check out Section 3.13 of the FAQ.  It might explain why your rule doesn't
do what you think it should.  http://www.snort.org/docs/faq.html#3.13 If
that doesn't answer your question, send us the relevant rules and we'll see
what we can find.

Cheers - Erick