Re: Pass rules - no effect/not working

[Jeremy Hoel <jthoel () gmail com>]

There is a config option which controls the order how things work..
'config order'

What order are you running?

# cat /var/log/messages | grep snort | grep order
Mar 27 20:28:45 my_machine snort[1659]: Rule application order: ->activation-
dynamic->pass->drop->alert->log

If alert is before pass that could be a problem.

Check that and then we can look at some other things..





On Sat, Jan 26, 2013 at 1:53 AM, Ward Sladek <wsladekjr () hotmail com> wrote:
> I have several pass rules in which I continue to get alerts for and need
> some help figuring out why...  Some of them are very basic rules, just
> host/port -> host/port.
>
> I'm running Snort version 2.9.4 GRE (Build 40) on CentOS 6.3 and here is my
> rule order config:
> config order: pass activation dynamic drop sdrop reject alert log
>
> Sample pass rules that are not working:
> pass tcp 10.16.135.95 947 -> 10.16.135.2 2049 (msg:"LOCAL NFS traffic due to
> Xen Storage Repository"; classtype:pass-rule; sid:1000; rev:2;)
> pass tcp 10.16.135.2 2049 -> 10.16.135.95 947 (msg:"LOCAL NFS traffic due to
> Xen Storage Repository"; classtype:pass-rule; sid:1001; rev:2;)
>
>
> And the alerts that should not be triggering:
> Jan 26 02:00:09 dev01 snort[34315]: [1:1394:14] INDICATOR-SHELLCODE x86 inc
> ecx NOOP [Classification: Executable code was detected] [Priority: 2] {TCP}
> 10.16.135.95:947 -> 10.16.135.2:2049
> Jan 25 23:03:43 dev01 snort[20698]: [1:2000428:10] ET POLICY ZIP file
> download [Classification: Misc activity] [Priority: 3] {TCP}
> 10.16.135.2:2049 -> 10.16.135.95:947
>
>
> Solutions I've tried:
>
> 1.  Separating the pass rule into two directional rules (as seen above)
> instead of using just one rule with bidirectional operator
>
> 2.  Configured the event_queue to order by priority, then made a custom
> classtype "pass-rule" with the highest priority of "1", incrementing all
> others +1 (hoping this would ensure my pass rules are processed first)
>
> 2.  Ran it through Dumbpig just to be sure... It reports two problems,
> however they're unrelated to this:  "TCP/UDP rule with no deep packet
> checks?" and "TCP, without flow."
>
>
> Any idea what I may be doing wrong or why I'm still getting alerts?
>
> Thanks in advance,
> -W
>
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. ON SALE this month only -- learn more at:
> http://p.sf.net/sfu/learnnow-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!