Snort mailing list archives

RE: ignore host for just a couple of rules, not all

From: Piers Williams <PiersW () zinc co uk>
Date: Tue, 19 Jun 2001 14:45:11 +0100

hmm, that just means you're going to have to write a whole bunch of pass
rules.
My problem is similar: the 'MISC source port 53 access to <1024' rule goes
off like _all_ the time.
        alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1024 (msg:"MISC source port
53 to <1023";flags:S; reference:arachnids,7;)
...and its all perfectly legit DNS traffic that sets it off.

I don't want to add 
        pass tcp any 53 -> dnsservers 53
as I still want the DNS traffic analysed for normal BIND attacks. So how to
exclude the DNS traffic from the rule, short of writing something like:
        alert tcp $EXTERNAL_NET 53 -> !$DNS_SERVERS :1024 (msg:"MISC source
port 53 to <1023";flags:S; reference:arachnids,7;)
        alert tcp $EXTERNAL_NET 53 -> $DNS_SERVERS :52 (msg:"MISC source
port 53 to <1023";flags:S; reference:arachnids,7;)      alert tcp
$EXTERNAL_NET 53 -> $DNS_SERVERS 54:1024 (msg:"MISC source port 53 to
<1023";flags:S; reference:arachnids,7;)

which seems a bit arse, not least because (!$DNS_SERVERS) != ($HOME_NET &&
!$DNS_SERVERS) as it were, as well as it involves editing the Misc.rules,
rather than the local.rules (ie: there's no clean way of me re-applying my
changes to the next ruleset release like there would be if all my
'overrides' were in local.rules)

BTW: Does snort chain the logic in IP ranges, ie would
        [$HOME_NET,!$DNS_SERVERS]       be all the homenet IP's that weren't
in the DNS_Servers range?

-----Original Message-----
From: Brian Caswell [mailto:bmc () mitre org]
Sent: 15 June 2001 14:02
To: Roeland Weve
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] ignore host for just a couple of rules, not
all


Roeland Weve wrote:

47 45 54 20 2F 73 65 61 72 63 68 72 65 73 75 6C   GET /searchresul
74 2F 2E 2E 2F 70 69 78 2F 6E 61 76 2F 6D 6F 5F   t/../pix/nav/mo_
30 5F 61 2E 67 69 66 20 48 54 54 50 2F 31 2E 30   0_a.gif HTTP/1.0
0D 0A 52 65 66 65 72 65 72 3A 20 68 74 74 70 3A   ..Referer: http:

I now exlude this host via:
pass tcp any any -> hostip 80


pass tcp any any -> hostip 80 (msg:"pass /../ where acceptable";
uricontent:"/../"; flags:A+;)


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

ignore host for just a couple of rules, not all Roeland Weve (Jun 15)
- Re: ignore host for just a couple of rules, not all Brian Caswell (Jun 15)
- <Possible follow-ups>
- RE: ignore host for just a couple of rules, not all Piers Williams (Jun 19)