Snort mailing list archives
RE: ignore host for just a couple of rules, not all
From: Piers Williams <PiersW () zinc co uk>
Date: Tue, 19 Jun 2001 14:45:11 +0100
hmm, that just means you're going to have to write a whole bunch of pass rules. My problem is similar: the 'MISC source port 53 access to <1024' rule goes off like _all_ the time. alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1024 (msg:"MISC source port 53 to <1023";flags:S; reference:arachnids,7;) ...and its all perfectly legit DNS traffic that sets it off. I don't want to add pass tcp any 53 -> dnsservers 53 as I still want the DNS traffic analysed for normal BIND attacks. So how to exclude the DNS traffic from the rule, short of writing something like: alert tcp $EXTERNAL_NET 53 -> !$DNS_SERVERS :1024 (msg:"MISC source port 53 to <1023";flags:S; reference:arachnids,7;) alert tcp $EXTERNAL_NET 53 -> $DNS_SERVERS :52 (msg:"MISC source port 53 to <1023";flags:S; reference:arachnids,7;) alert tcp $EXTERNAL_NET 53 -> $DNS_SERVERS 54:1024 (msg:"MISC source port 53 to <1023";flags:S; reference:arachnids,7;) which seems a bit arse, not least because (!$DNS_SERVERS) != ($HOME_NET && !$DNS_SERVERS) as it were, as well as it involves editing the Misc.rules, rather than the local.rules (ie: there's no clean way of me re-applying my changes to the next ruleset release like there would be if all my 'overrides' were in local.rules) BTW: Does snort chain the logic in IP ranges, ie would [$HOME_NET,!$DNS_SERVERS] be all the homenet IP's that weren't in the DNS_Servers range?
-----Original Message----- From: Brian Caswell [mailto:bmc () mitre org] Sent: 15 June 2001 14:02 To: Roeland Weve Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] ignore host for just a couple of rules, not all Roeland Weve wrote:47 45 54 20 2F 73 65 61 72 63 68 72 65 73 75 6C GET /searchresul 74 2F 2E 2E 2F 70 69 78 2F 6E 61 76 2F 6D 6F 5F t/../pix/nav/mo_ 30 5F 61 2E 67 69 66 20 48 54 54 50 2F 31 2E 30 0_a.gif HTTP/1.0 0D 0A 52 65 66 65 72 65 72 3A 20 68 74 74 70 3A ..Referer: http: I now exlude this host via: pass tcp any any -> hostip 80pass tcp any any -> hostip 80 (msg:"pass /../ where acceptable"; uricontent:"/../"; flags:A+;)
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ignore host for just a couple of rules, not all Roeland Weve (Jun 15)
- Re: ignore host for just a couple of rules, not all Brian Caswell (Jun 15)
- <Possible follow-ups>
- RE: ignore host for just a couple of rules, not all Piers Williams (Jun 19)