Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Ri: Re: rule processing.

From: "Federico" <egopfe () hotmail com>
Date: Mon, 1 Apr 2002 16:50:10 +0200
Ok, try to imagine this scenario, I need that snort generates an alert in
this way:

Alert from all syn patckets from 192.168.5.0/24 except 192.168.5.1,
192.168.5.31, 192.168.5.220 to all net 192.168.4.0/24 except 192.168.4.6,
192.168.4.31, 192.168.4.243

how to manage this rule ?

I can act in two ways:
1) FIRST WAY

var LAN [192.168.5.0/24]
var DMZ [192.168.4.0/24]
var no_alert_from [192.168.5.1,192.168.5.31,192.168.5.220]
var no_alert_to [192.168.4.6,192.168.4.31, 192.168.4.243]

so the rule can be:

alert tcp from !$no_alert_from any -> !$no_alert_to any ... ... ... ...


but if I do this... I generate alert from ALL NET except no_alert_from ip
and no_alert_to ip .... here the problem! I can't discriminate ip in one
net! from the interface that runs snort pass traffic from many nets.... not
only that two ones...


2) SECOND WAY

If I use the "pass" rule I get the same problem!

var LAN [192.168.5.0/24]
var DMZ [192.168.4.0/24]
var no_alert_from [192.168.5.1,192.168.5.31,192.168.5.220]
var no_alert_to [192.168.4.6,192.168.4.31, 192.168.4.243]

pass tcp $no_alert_from any -> $no_alert_to any .. .. ..
alert $LAN any -> $DMZ any ... ...

the second rule easily generate an alert also with the pass rules!!!

don't it ?


Federico

----- Original Message -----
From: "Chris Green" <cmg () snort org>
To: "Federico Lombardo" <egopfe () hotmail com>
Cc: <snort-users () lists sourceforge net>
Sent: Wednesday, March 27, 2002 1:47 PM
Subject: Re: [Snort-users] rule processing.



"Federico Lombardo" <egopfe () hotmail com> writes:


Is possibile with snort to make rule processing like a firewall
(such as ipfilter or iptable) ?

I mean this:

I put some rule in insertion number

rule 1
rule 2
rule 3

If the rule 2 matches the packet for its kind of connection and
hosts, rule 3 is not processed.



Thats how the alert system works.  There are also pass rules.  To get
pass rules to be evaluated before the alerts, use the -o command line
option.
--
Chris Green <cmg () snort org>
This is my signature. There are many like it but this one is mine.



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: