Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: -o and pass/alert/log usage

From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
Date: Wed, 27 Jun 2001 14:17:56 -0400
I was told in another post that it doesn't matter WHERE the pass rules are
in any of the .rules files, and it doesn't matter in what order the rules
files are included in snort.conf. If you use the -o option, all pass rules
are taken into account first, then alerts. If this is wrong, I'd like to
know so I get it straight too!


-----Original Message-----
From: Joe Fico [mailto:Fico () AirAuto COM]
Sent: Wednesday, June 27, 2001 1:57 PM
To: Snort-users
Subject: FW: [Snort-users] -o and pass/alert/log usage


So what Olivier is saying (below) is that even with the -o option on startup
the PASS action doesn't stop a packet from continuing down the rule list
until it gets hit by a ALERT action? I'm confused what PASS is supposed to
do then...

-----Original Message-----
From: Olivier Grumelard
Sent: Tuesday, June 26, 2001 3:25 PM
To: Joe Fico
Subject: Re: [Snort-users] -o and pass/alert/log usage


"alert" rules have priority over "pass" rules, even if you write the "pass"
rule before the "alert" rule.

Hope that helps,

Olivier.

At 13:07 26/06/01 -0700, you wrote:

Greetings all!

I seem to be having problems (or misunderstandings) with the PASS option.

in /etc/rc.d/init.d/snortd I have

case "$1" in
  start)
        echo -n "Starting snort: "
        daemon /usr/sbin/snort -o -u snort -g snort -s -d -D \
                -i $INTERFACE -l /var/log/snort -c /etc/snort/snort.conf
        touch /var/lock/subsys/snort
        echo
        ;;

in my local rules file I have

alert icmp 172.16.100.9 any <- any any (msg:"NOC Server";)
alert icmp 198.182.113.1 any <- 198.182.113.28 any (msg:"AAI ROUTER ICMP
Redirect .28 (Network)"; itype:5; icode:0;)
alert icmp 198.182.113.1 any <- 198.182.113.37 any (msg:"AAI ROUTER ICMP
Redirect .37 (Network)"; itype:5; icode:0;)
#
pass icmp any any -> any any (msg:"PASS ICMP Echo Reply"; itype: 0; icode:
0;)
pass icmp any any -> any any (msg:"PASS ICMP Echo Request"; itype: 8;

icode:

0;)
pass icmp $HOME_NET any <> $HOME_NET any (msg:"PASSING ICMP $HOME_NET

any ->

$HOME_NET any ";)
pass icmp $HOME_NET any <> $HOME_NET any (msg:"PASSING ICMP REDIRECT
$HOME_NET any -> $HOME_NET any ";itype:5; icode:0;)
alert icmp $HOME_NET any <> $HOME_NET any (msg:"ALERTING ICMP $HOME_NET
any -> $HOME_NET any ";itype:5; icode:0;)
#


and sure enough I get

Jun 26 15:42:34 localhost snort[3570]: AAI ROUTER ICMP Redirect .37
(Network): 198.182.113.1 -> 198.182.113.37

This is good I know I can write at least one rule right :)

but I also get

Jun 26 15:42:55 localhost snort[3570]: ICMP Redirect (Network):
198.182.113.1 -> 198.182.113.83

First off shouldn't it have gotten taken care of by one of the PASS rules I
wrote?
Second do PASS rules get logged like I wrote the above rules? How do I know
I am passing something successfully besides that it never shows up again.


Thanks.


J



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: