Re: Pass rule not passing preprocessors

[Bennett Todd <bet () rahul net>]

2003-04-20T03:20:21 Always Bishan:
> Now by writing this pass rule I'm able to avoid any
> alerts from my rules directory, but preprocessors are
> still generating alerts. 

That's right. Preprocessors are applied before rules --- including
pass rules.

> Is there anyway to avoid this?

There are only two possible ways to blind preprocessors to certain
traffic. For certain preprocessors (e.g. portscan, portscan2)
there's a corresponding "-ignorehosts" preprocessor
(portscan-ignorehosts, portscan2-ignorehosts respectively) that
allows blinding just that preprocessor to a list of hosts.

The other approach can blind all of snort --- all preprocessors, all
rules, everything --- to specific traffic; that's to use a bpf
filter. These can be specified on the cmdline (that's the optional
"expression" that can be at the end of the cmdline), or in a file
named by the -F option on the cmdline. Pack filtering specified by
BPF rules happens before snort sees the packets, to it completely
blinds snort to whatever the rules elect to drop.

I dabbled a bit with the above, but I ended up disabling the
preprocessors that were inflicting false-positives on me.

-Bennett

Attachment: _bin
Description: