Snort mailing list archives
RE: Same source/dest
From: Erek Adams <erek () snort org>
Date: Wed, 2 Apr 2003 11:59:10 -0500 (EST)
On Wed, 2 Apr 2003, Brei, Matt wrote:
That's exactly what I did. I'll refer you to my first post seen below. pass ip 10.13.110.254 53 -> 10.13.110.254 1026 (msg:"BAD TRAFFICsame SRC/DST"; sameip; reference:cve,CVE-1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:3;)
Remove the extra stuff. It's not needed, and you're 'reusing' a SID which you shouldn't do. You can shorten all that to: pass ip 10.13.110.254 53 -> 10.13.110.254 1026 If 1026 is what port it always hits on. If it varries, then change it to: pass ip 10.13.110.254 53 -> 10.13.110.254 any I'm assuming that this is DNS traffic. To reduce the chance of something bad slipping by you could make it: pass udp 10.13.110.254 53 -> 10.13.110.254 any One thing to think about: If you're seeing a lot of traffic of this type, instead of using a pass rule, use a BPF filter. By using the BPF filter, you are stopping the packets from ever getting into Snort. As minor as that sounds, that can save you CPU cycles which is a good thing. It eliminates the need for the reading and parsing the pass rules, and the comparisions to see if it should be passed. On a heavily loaded network, that could be a significant savings. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Same source/dest Keg (Apr 01)
- Re: Same source/dest james (Apr 01)
- Re: Same source/dest Erek Adams (Apr 02)
- Re: Same source/dest James-lists (Apr 02)
- Re: Same source/dest Erek Adams (Apr 02)
- <Possible follow-ups>
- RE: Same source/dest Brei, Matt (Apr 02)
- Re: Same source/dest Keg (Apr 02)
- RE: Same source/dest Hutchinson, Andrew (Apr 02)
- RE: Same source/dest Brei, Matt (Apr 02)
- RE: Same source/dest Erek Adams (Apr 02)
- Re: Same source/dest Keg (Apr 02)
- Re: Same source/dest Erek Adams (Apr 02)
- Re: Same source/dest Keg (Apr 02)
- Re: Same source/dest Erek Adams (Apr 02)
- RE: Same source/dest Erek Adams (Apr 02)
- Re: Same source/dest james (Apr 01)
- RE: Same source/dest Erek Adams (Apr 02)
- RE: Same source/dest Erek Adams (Apr 02)