Snort mailing list archives
Overriding alert rules with pass rules for specific cases
From: Kimi Ushida <kimi () kimiushida com>
Date: Thu, 08 May 2014 21:10:23 -0700
I have a question about writing a rule which in specific cases will pass (not alert/drop) traffic where a VRT rule will otherwise alert on. I'd like to leave the original VRT rule enabled as-is (for example, SID 25975, revision 2) since it's generally reliable. However, this falses in cases where we have a vuln scanner that we'd like to pass through without dropping, but this scanner's source IP may be obfuscated (such as through NAT, etc.) and from the perspective of the sensor could potentially share this same source IP with actual malicious sources. Therefore using BPF wouldn't work since I have no way of distinguishing in the IP header between good and evil clients. I figured this is simply writing an equivalent pass rule keeping all of the original rule options in place, but have an additional content match which singles out the legitimate traffic we want to pass (for my case, the legit vuln scanner traffic will be seen with a unique content string which I can flag against). However, I'm apparently not doing something right and I'm guessing this is attributed to the "fast_pattern:only;" part in the original VRT rule. Perhaps I need a refresher on the fast-pattern matching system to understand where I'm going wrong. Any pointers appreciated. Thanks. ------------------------------------------------------------------------------ Is your legacy SCM system holding you back? Join Perforce May 7 to find out: • 3 signs your SCM is hindering your productivity • Requirements for releasing software faster • Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Overriding alert rules with pass rules for specific cases Kimi Ushida (May 08)
- Re: Overriding alert rules with pass rules for specific cases Joel Esler (jesler) (May 09)
- Re: Overriding alert rules with pass rules for specific cases Kimi Ushida (May 09)
- Re: Overriding alert rules with pass rules for specific cases Joel Esler (jesler) (May 09)