Re: Trouble with pass rule

[Neil Dickey <neil () geol niu edu>]

Carl <lists () carldunham com> wrote below, asking:

[ Why does my pass rule not work. ]

The way you have your variables set the alert rule picks up traffic
from any port, anywhere, to any port on your home net.  The source
address of the alert is 10.27.13.211, which matches "anywhere," and
the target address is 10.27.255.255, which matches "10.27.0.0/16".

Your pass rule affects traffic moving between 10.47.0.0./16 and your
home net -- note the second octet is "47", not "27" ( typo?).  That's
why the pass rule isn't doing what you want.

I hope this helps.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

> I am getting a bunch of false positives on CID 1322:
>
> alert ip $EXTERNAL_NET any -> $HOME_NET any ( sid: 1322; rev: 4; msg: "BAD 
TRAFFIC bad frag bits"; fragbits: MD; classtype: misc-activity;)
[ ... ]
> The variable settings:
>
> var HOME_NET [192.168.0.0/24,10.27.0.0/16]
> var EXTERNAL_NET any
>
> Example alert (from /var/log/snort/alert):
>
> [**] [1:1322:4] BAD TRAFFIC bad frag bits [**]
> [Classification: Misc activity] [Priority: 3]
> 04/28-17:50:18.327281 10.27.13.211 -> 10.27.255.255
> UDP TTL:64 TOS:0x0 ID:30423 IpLen:20 DgmLen:1500 DF MF
> Frag Offset: 0x0172   Frag Size: 0x0014
>
>
> I added the following pass rule, and set snort to run with the -o flag:
>
> var EPP_CHATTERS 10.47.0.0/16
>
> pass ip $EPP_CHATTERS any -> $HOME_NET any ( sid: 1000001; rev: 7; fragbits: 
MD;)
> But I still get the alerts. The traffic is a local application protocol that 
uses large UDP datagrams
> that get fragmented into 1500-bytes IP packets (plus one for the leftover). All 
but the final
> leftover have the DF and MF flags set, as shown in the alert. The final has DF 
only, and isn't
> alerting.
>
> I also removed CID 521 (MISC Large UDP Packet) which this was triggering as 
well.
> As you can see (rev: 7), I tried a few things, like making it UDP vs. IP, 
adding the UDP
> ip_proto: 17, stuff like that.
>
> Any ideas? I can send more traces if that helps. Although some of the packets 
have
> sensitive data, I can try to black it out.
>
> Thanks.
>
> Carl
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users