Snort mailing list archives

Snort Rule-framing

From: Sonika Malhotra <sonikam () magnum barc ernet in>
Date: Mon, 04 Feb 2002 17:35:32 +0530

Hello List,
    I need some help to frame a rule .
i am allowing packets for smtp and dns on my mail-cum-dns-server.so i
have 2 pass rules and 1 alert rule in my local.rules as follows.
pass tcp any any -> $SERVER 25
pass tcp any any -> $SERVER 53
alert tcp any any -> $SERVER any (msg: "Unusual Access on Server";)

and i run snort daemon with "-o" option set.(pass->alert->log)
This logs all packets for ports other than 25 and 53 in my log-file.

i have a doubt here, does the above setup means that all packets having
(smtp or dns)attack-signatures for port 25 and 53 will also be passed by
snort (without sending alerts) .In that case is there any other way of
implementing this policy.

Thanx.
SM.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort Rule-framing Sonika Malhotra (Feb 04)