Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Quick Rule's Question...

From: James Hoagland <hoagland () SiliconDefense com>
Date: Wed, 6 Mar 2002 12:30:51 -0800
Hello Erek,

At 11:40 AM -0800 3/6/02, Erek Adams wrote:

On Wed, 6 Mar 2002, Mark Taber wrote:

[...snip...]


 (Rule that is in the web-misc file)
 alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (msg:"WEB-MISC 403
 Forbidden";flags: A+; content:"HTTP/1.1 403"; depth:12;
 classtype:attempted-recon; sid:1201; rev:2;)

 (Rule that I am creating)
 pass tcp $HTTP_SERVERS 80 -> x.x.x.x (IP Of Server on my network)
 (msg:"WEB-MISC 403 Forbidden";flags: A+; content:"HTTP/1.1 403";
 depth:12; classtype:attempted-recon; sid:1201; rev:2;)


You'll need a dst port listed on the dst side of the rule header.  In this
case since it picks a random port, you'll need to use "any".  Since the pass
function tells the parser to "stop here, I don't care about this packet", you
could cut it down to:

  pass tcp $HTTP_SERVERS 80 -> x.x.x.x any

[If I'm wrong, somene jump in and clue-ify me!]


Well, you asked...
Not correct. "pass" versus "alert" versus "log" only gets considered after the rule matches on some packet. That is, the signature matching proceeds the same regardless of which of those 3 rule types is specified. The parser does not do anything special with pass rules. Just the signature matching code and then only after it finds a match. (Order of rule application is a whole other discussion.)
As you pointed out, the trimmed down pass rule above will case all traffic from $HTTP_SERVERS port 80 to x.x.x.x to be ignored (at least for the purposes of the signature matching). This is probably not what you want since this creates a sizable blind spot for you. You want to create as specific a pass rule as possible that also eliminates your false positive (or other alerts you are not interested in). In this case, it means keeping the same "()" pattern as in your original rule. (You could also make it more specific if you don't want to pass on all 403 traffic between the hosts.)
[In Erek's tradition, let me say that I'm pretty sure what I said was correct, but would appreciate being clue'd in if not. :) ] 

Best regards,

  Jim
--
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland () SiliconDefense com, http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: