Snort mailing list archives

Previous By Date Next
Previous By Thread Next

catch all rule

From: barre <barre () chello be>
Date: Tue, 18 Jun 2002 09:17:56 +0200 (CEST)
Hello,

In the following example , I want to protect my dmz and will make a
"alert"
rule for all traffic from and to my dmz.

alert any any any -> any any (msg: \"tcp dmz traffic";)

But in this case, alerts will be generated when people access my
webserver. So I make this nice pass rule to grant access to my webserver.

pass tcp !MY_NET any -> webserver 80

Because this pass rule is applied below the alert rule, I have to use the
-o option, to make sure that this previous rule makes an exception to the
other rules.

But in this scenario, I don't check the content of the pass rule for
malicious traffic using the other alert rules. But if I delete the pass
rule, it triggers the "catch all other traffic" rule.

Therefor: is there an other way to implement a "catch all traffic"
rule? Using this rule, you can write rules for all
allowed traffic , and alert for all non-defined traffic. All other
signatures (http malicious traffic for example) will still be applied to
all traffic, even if they are in the pass or catch all rules.

Someone has an idea?

Thanks a lot.

barre


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: