Snort mailing list archives
Re: catch all rule
From: Vitaly Osipov <vosipov () wolfegroup ie>
Date: Tue, 19 Jun 2001 10:05:19 +0100
Why not use "log" instead of "alert"? something like alert blahblahblah (standart snort rules) pass tcp !MY_NET any -> webserver 80 log any any any -> any any (msg: \"tcp dmz traffic";) this is the standart order without -o option regards, Vitaly barre wrote:
Hello, In the following example , I want to protect my dmz and will make a "alert" rule for all traffic from and to my dmz. alert any any any -> any any (msg: \"tcp dmz traffic";) But in this case, alerts will be generated when people access my webserver. So I make this nice pass rule to grant access to my webserver. pass tcp !MY_NET any -> webserver 80 Because this pass rule is applied below the alert rule, I have to use the -o option, to make sure that this previous rule makes an exception to the other rules. But in this scenario, I don't check the content of the pass rule for malicious traffic using the other alert rules. But if I delete the pass rule, it triggers the "catch all other traffic" rule. Therefor: is there an other way to implement a "catch all traffic" rule? Using this rule, you can write rules for all allowed traffic , and alert for all non-defined traffic. All other signatures (http malicious traffic for example) will still be applied to all traffic, even if they are in the pass or catch all rules. Someone has an idea? Thanks a lot. barre _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- catch all rule barre (Jun 18)
- Re: catch all rule Vitaly Osipov (Jun 19)
- <Possible follow-ups>
- RE: catch all rule Frank Knobbe (Jun 18)
- RE: catch all rule Graham M Locke (Jun 19)