Snort mailing list archives
RE: Snort Rules Help
From: "Esler, Joel - Contractor" <joel.esler () rcert-s army mil>
Date: Fri, 9 Jul 2004 14:32:22 -0400
is it coming through on one of the preprocessors? What alert is it generating? J -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Cunningham, Andy Sent: Friday, July 09, 2004 12:26 PM To: Snort-users () lists sourceforge net Subject: [Snort-users] Snort Rules Help Hi there. Can someone help with a problem I'm having trying to write snort rules. I have a series of rules to either pass legitimate traffic or alert on certain events. Finally I have a catch all rule to alert on any packet not covered by the above. I've changed the rule order with -o so that pass rules have the desired effect, and this seems to be working. pass udp $SRC any <> $DEST $PORT (classtype:ignore) alert ip any any -> any any (msg: "Unexpected unclassified traffic"; classtype: unexpected-traffic; ) These rules work fine for most of the traffic, but when I get a fragmented UDP packet come through, the fragment causes the altert to be generated. I've tried adding a fragoffset:0 into the rule to only altert if it's the first fragment, but it doesn't seem to help. Can anyone suggest what I might be doing wrong? Thanks in advance
Current thread:
- Snort Rules Help Cunningham, Andy (Jul 09)
- Message not available
- Re: Snort Rules Help Matt Kettler (Jul 09)
- Message not available
- <Possible follow-ups>
- RE: Snort Rules Help Esler, Joel - Contractor (Jul 09)
- RE: Snort Rules Help Hudak, Tyler (Jul 09)
- RE: Snort Rules Help Cunningham, Andy (Jul 15)