Snort mailing list archives
Snort Rules Help
From: "Cunningham, Andy" <acunningham () rsasecurity com>
Date: Fri, 9 Jul 2004 17:26:22 +0100
Hi there. Can someone help with a problem I'm having trying to write snort rules. I have a series of rules to either pass legitimate traffic or alert on certain events. Finally I have a catch all rule to alert on any packet not covered by the above. I've changed the rule order with -o so that pass rules have the desired effect, and this seems to be working. pass udp $SRC any <> $DEST $PORT (classtype:ignore) alert ip any any -> any any (msg: "Unexpected unclassified traffic"; classtype: unexpected-traffic; ) These rules work fine for most of the traffic, but when I get a fragmented UDP packet come through, the fragment causes the altert to be generated. I've tried adding a fragoffset:0 into the rule to only altert if it's the first fragment, but it doesn't seem to help. Can anyone suggest what I might be doing wrong? Thanks in advance
Current thread:
- Snort Rules Help Cunningham, Andy (Jul 09)
- Message not available
- Re: Snort Rules Help Matt Kettler (Jul 09)
- Message not available
- <Possible follow-ups>
- RE: Snort Rules Help Esler, Joel - Contractor (Jul 09)
- RE: Snort Rules Help Hudak, Tyler (Jul 09)
- RE: Snort Rules Help Cunningham, Andy (Jul 15)