Snort mailing list archives

Re: Part of traffic matching wrong rule

From: James Nonya <slave_tothe_box () yahoo com>
Date: Tue, 24 Jun 2003 11:45:42 -0700 (PDT)


--- Juergen Anthamatten <juergen.anthamatten () gmx net>
wrote:

I have the strange behaviour in snort that part of
the traffic is matching
the wrong rule.

The details:
I'd like to alarm on tcp syn-ack packets sent back
by a server violating
our policy. Therefore I "pass" all allowed syn-ack
traffic and then I
"alarm" on all other syn-ack packets. 
This works almost fine, except for about 1% of the
traffic, matching
theoretically the pass rule, this rule is not
hitting and the alarm rule
is triggering instead.

Relevant configuration info:
Snort Version: 2.0.0
Rule application order: alert->pass->alarm

var HOME_NET    64.232.48.224/28
var UNIVERSE    0.0.0.0/0
var host1       64.232.48.230

pass    tcp     $host1      80  ->  $UNIVERSE  
1024:   (flags: SA;)
alarm   tcp     $HOME_NET   any ->  $UNIVERSE   any 
   (flags: SA;
msg:"Forbidden synAck from HOME_NET";)


As the following extract of the alarm-logfile shows,
this packet, which
fits theoretically the pass-rule, is not matching
the pass-rule but the
final alarm-rule.
"
... 64.232.48.230.80 > 88.34.112.22.8888: S
2146395230:2146395230(0) ack
3671809919 win 32120 <mss 1460,nop,nop,sackOK> (DF)
"

(For about 99% of the syn-ack responses from
64.232.48.230.80 the pass-rule
is
matching and no alarm is triggered.)

Is this a missconfiguration, or ??? 
TIA for any hints.....

./juergen


Juergen,

Start your snort with -o
-o         Change the rule testing order to
Pass|Alert|Log

James



__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com


-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Part of traffic matching wrong rule Juergen Anthamatten (Jun 24)
- Re: Part of traffic matching wrong rule James Nonya (Jun 24)
- Re: Part of traffic matching wrong rule Erek Adams (Jun 24)
- Re: Part of traffic matching wrong rule Andrew R. Baker (Jun 24)
- <Possible follow-ups>
- Re: Part of traffic matching wrong rule Juergen Anthamatten (Jun 25)
- Re: Part of traffic matching wrong rule JP Vossen (Jun 25)
  - Re: Part of traffic matching wrong rule Chris Green (Jun 26)