Snort mailing list archives

Pass Rule

From: Joseph Nuara <joe () moorecap com>
Date: Tue, 26 Nov 2002 15:48:13 -0500 (EST)


I am trying to pass all traffic to and from a specific IP that matches the
following rule in dns.rules:

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response
PTR with TTL\: 1 min. and no authority"; content:"|85800001000100000000|";
content:"|c00c000c00010000003c000f|"; classtype:bad-unknown; sid:253;
rev:2;)

I am using the -o option to snort and have created this rule in
local.rules:

where the x's are real ip addy's

pass udp xxx.xxx.xxx.xxx 53 -> xxx.xxx.xxx.xxx 53 
(content:"|85800001000100000000|"; content:"|c00c000c00010000003c000f|"; )

I'm sure its something simple but I just seem to keep dancing around the
issue. Thanks in advance for the help.







-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T 
handheld. Power & Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Pass Rule Joseph Nuara (Nov 26)
- Re: Pass Rule Frank Knobbe (Nov 26)
  - Re: Pass Rule Joseph Nuara (Nov 26)
    - Re: Pass Rule Frank Knobbe (Nov 26)
    - Re: Pass Rule Joseph Nuara (Nov 26)
  - Re: Pass Rule Matt Kettler (Nov 26)
    - Re: Pass Rule Joseph Nuara (Nov 26)
    - Re: Pass Rule Erek Adams (Nov 26)