Snort mailing list archives

RE: Help with pass rule

From: francisv () dagupan com
Date: Fri, 30 Aug 2002 08:05:42 +0800

But I'm sure what Snort is catching is an alert based on the ACID report :|

-----Original Message-----
From: Erek Adams [mailto:erek () theadamsfamily net] 
Sent: Thursday, August 29, 2002 10:32 PM
To: francisv () dagupan com
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Help with pass rule

On Thu, 29 Aug 2002 francisv () dagupan com wrote:

I have defined the following:

      var HOME_NET 192.168.0.0/22
      var SERVERS_NET 192.168.1.128/25
      var DIALUP_NET 192.168.1.0/25
      var EXTERNAL_NET !$HOME_NET

However, there are still things that are not clear to me. If I changed the
ordering of snort to pass->alert->log instead of alert->pass->log using
option "o", why do I still get alerts from scan proxy/socks alert even if

allowed it to pass?

      pass tcp $EXTERNAL_NET any -> $HOME_NET 8080
      pass tcp $EXTERNAL_NET any -> $HOME_NET 3128
      pass tcp $EXTERNAL_NET any -> $HOME_NET 1080

Is it a bug or a feature?


Feature.  :)

If you look you'll see that what generated those alerts isn't a rule, but a
preprocessor.  spp_portscan or spp_portscan2 aren't affected by the pass
rules.  They only use the portscan_ignorehosts config option.

If you would like to ignore this traffic and lighten the load on snort, then
use a BPF filter.  Start snort with somthing like "snort <your options> 'not
(net 192.168.1.128/25 and port 1080) and not (net 192.168.1.0/25 amd port
3128)'".  See the tcpdump man page for more info on how to write the BPF
filters.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Help with pass rule francisv (Aug 27)
- Re: Help with pass rule Erek Adams (Aug 28)
- <Possible follow-ups>
- RE: Help with pass rule francisv (Aug 28)
  - RE: Help with pass rule Erek Adams (Aug 28)
- RE: Help with pass rule francisv (Aug 28)
  - RE: Help with pass rule Erek Adams (Aug 29)
- RE: Help with pass rule francisv (Aug 29)
  - RE: Help with pass rule Erek Adams (Aug 29)
- RE: Help with pass rule Erek Adams (Aug 29)
- RE: Help with pass rule Erek Adams (Aug 31)