Snort mailing list archives
Re: Part of traffic matching wrong rule
From: James Nonya <slave_tothe_box () yahoo com>
Date: Tue, 24 Jun 2003 11:45:42 -0700 (PDT)
--- Juergen Anthamatten <juergen.anthamatten () gmx net> wrote:
I have the strange behaviour in snort that part of the traffic is matching the wrong rule. The details: I'd like to alarm on tcp syn-ack packets sent back by a server violating our policy. Therefore I "pass" all allowed syn-ack traffic and then I "alarm" on all other syn-ack packets. This works almost fine, except for about 1% of the traffic, matching theoretically the pass rule, this rule is not hitting and the alarm rule is triggering instead. Relevant configuration info: Snort Version: 2.0.0 Rule application order: alert->pass->alarm var HOME_NET 64.232.48.224/28 var UNIVERSE 0.0.0.0/0 var host1 64.232.48.230 pass tcp $host1 80 -> $UNIVERSE 1024: (flags: SA;) alarm tcp $HOME_NET any -> $UNIVERSE any (flags: SA; msg:"Forbidden synAck from HOME_NET";) As the following extract of the alarm-logfile shows, this packet, which fits theoretically the pass-rule, is not matching the pass-rule but the final alarm-rule. " ... 64.232.48.230.80 > 88.34.112.22.8888: S 2146395230:2146395230(0) ack 3671809919 win 32120 <mss 1460,nop,nop,sackOK> (DF) " (For about 99% of the syn-ack responses from 64.232.48.230.80 the pass-rule is matching and no alarm is triggered.) Is this a missconfiguration, or ??? TIA for any hints..... ./juergen
Juergen, Start your snort with -o -o Change the rule testing order to Pass|Alert|Log James __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Part of traffic matching wrong rule Juergen Anthamatten (Jun 24)
- Re: Part of traffic matching wrong rule James Nonya (Jun 24)
- Re: Part of traffic matching wrong rule Erek Adams (Jun 24)
- Re: Part of traffic matching wrong rule Andrew R. Baker (Jun 24)
- <Possible follow-ups>
- Re: Part of traffic matching wrong rule Juergen Anthamatten (Jun 25)
- Re: Part of traffic matching wrong rule JP Vossen (Jun 25)
- Re: Part of traffic matching wrong rule Chris Green (Jun 26)