Snort mailing list archives

RE: catch all rule

From: Frank Knobbe <FKnobbe () KnobbeITS com>
Date: Mon, 18 Jun 2001 22:24:21 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Uhm, how about running two instances of snort with different
configurations? One instance can monitor only the web traffic and
alert on exploits, the other can ignore web traffic and you can use
your catch-all rule in there.


It would be nice to have a rules checking priority system... wasn't
there talk about that for 1.8? If not, here's the suggestion :)  
Until then, running multiple instances will solve the problem.

Regards,
Frank

-----Original Message-----
From: barre [mailto:barre () chello be]
Sent: Tuesday, June 18, 2002 2:18 AM
To: snort-users () lists sourceforge net

In the following example , I want to protect my dmz and will make a
"alert"
rule for all traffic from and to my dmz.

alert any any any -> any any (msg: \"tcp dmz traffic";)

But in this case, alerts will be generated when people access my
webserver. So I make this nice pass rule to grant access to 
my webserver.

pass tcp !MY_NET any -> webserver 80

Because this pass rule is applied below the alert rule, I 
have to use the
-o option, to make sure that this previous rule makes an 
exception to the
other rules.

But in this scenario, I don't check the content of the pass rule
for malicious traffic using the other alert rules. But if I 
delete the pass
rule, it triggers the "catch all other traffic" rule.

Therefor: is there an other way to implement a "catch all traffic"
rule? Using this rule, you can write rules for all
allowed traffic , and alert for all non-defined traffic. All other
signatures (http malicious traffic for example) will still be 
applied to
all traffic, even if they are in the pass or catch all rules.


-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME encrypted email preferred.

iQA/AwUBOy7F5ZytSsEygtEFEQJDqwCgg2DN/16o+EXevnlYm8zS/XfjNY8An3B1
6f1AePgiMsgUDPQRGctPzG9d
=cIVQ
-----END PGP SIGNATURE-----

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

catch all rule barre (Jun 18)
- Re: catch all rule Vitaly Osipov (Jun 19)
- <Possible follow-ups>
- RE: catch all rule Frank Knobbe (Jun 18)
- RE: catch all rule Graham M Locke (Jun 19)