Snort mailing list archives
RE: Rules Question
From: "Roy Kidder" <rkidder () safelite net>
Date: Mon, 28 Feb 2005 15:41:02 -0500
Even when using the -o flag, I still get alerts on many things. For example, pass udp 192.168.1.33 any -> any 161 still generates alerts for 'SNMP request udp' and neither sfscan nor a rules like: pass ip 192.168.1.5/32 any -> any 80 pass tcp 192.168.1.5/32 any -> any 80 stop the '(portscan) Open Port' alerts for regular web browsing. Anyone have any suggestions?
-----Original Message----- From: Jeff Dell [mailto:jdell () activeworx com] Sent: Friday, February 25, 2005 9:04 AM To: 'Roy Kidder'; snort-users () lists sourceforge net Subject: RE: [Snort-users] Rules Question Check your rules order. By default it is alert -> pass -> log -> etc... Try adding the flag -o to your command line options when starting snort. Cheers, Jeff-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Roy Kidder Sent: Friday, February 25, 2005 8:26 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Rules Question I'm trying to write what I expected to be a simple set rules, but it's not working for me. They look like this: pass udp any any <> 10.0.0.10 53 pass udp any any <> 192.168.1.5 53 alert udp any any <> any 53 (msg: "DNS Query";) What I expected was to alert on any DNS queries except those to 10.0.0.10 or to 192.168.1.5. Instead, I'm seeing alerts on everything including those two hosts. Any pointers on what I did wrong? Thanks in advance, Roy Roy Kidder Network Engineer Safelite Glass Corp. ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Startreading now.http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rules Question Roy Kidder (Feb 25)
- RE: Rules Question Jeff Dell (Feb 25)
- RE: Rules Question Roy Kidder (Feb 28)
- RE: Rules Question Jeff Dell (Feb 28)
- RE: Rules Question Roy Kidder (Feb 28)
- RE: Rules Question Roy Kidder (Feb 28)
- RE: Rules Question Jeff Dell (Feb 25)