RE: catch all rule

["Graham M Locke" <graham () waldonet net mt>]

On Date: Tue, 18 Jun 2002 09:17:56 +0200 (CEST), barre wrote:

> In the following example , I want to protect my dmz and will make a
> "alert" rule for all traffic from and to my dmz.
>
> alert any any any -> any any (msg: \"tcp dmz traffic";)
>
> But in this case, alerts will be generated when people access my
> webserver. So I make this nice pass rule to grant access to my webserver.

> pass tcp !MY_NET any -> webserver 80
>
> Because this pass rule is applied below the alert rule, I have to use the

> -o option, to make sure that this previous rule makes an exception to the

> other rules.
>
> But in this scenario, I don't check the content of the pass rule for
> malicious traffic using the other alert rules. But if I delete the pass
> rule, it triggers the "catch all other traffic" rule.
>
> Therefor: is there an other way to implement a "catch all traffic"
> rule? Using this rule, you can write rules for all
> allowed traffic , and alert for all non-defined traffic. All other
> signatures (http malicious traffic for example) will still be applied to
> all traffic, even if they are in the pass or catch all rules.
>
> Someone has an idea?
>
> Thanks a lot.
>
> barre

Try: alert tcp !MY_NET any -> any !80 (msg: \"tcp dmz traffic";)
and: alert udp !MY_NET any -> any !80 (msg: \"udp dmz traffic";)

Which says 'alert on protocol NOT from my network -> any network NOT port 80'

and you wont need the -o switch.

You were 95% there with your pass rule.

Regards

Graham.



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users