Snort mailing list archives
Re: Pass rule not passing preprocessors
From: Bennett Todd <bet () rahul net>
Date: Sun, 20 Apr 2003 13:16:29 -0400
2003-04-20T03:20:21 Always Bishan:
Now by writing this pass rule I'm able to avoid any alerts from my rules directory, but preprocessors are still generating alerts.
That's right. Preprocessors are applied before rules --- including pass rules.
Is there anyway to avoid this?
There are only two possible ways to blind preprocessors to certain traffic. For certain preprocessors (e.g. portscan, portscan2) there's a corresponding "-ignorehosts" preprocessor (portscan-ignorehosts, portscan2-ignorehosts respectively) that allows blinding just that preprocessor to a list of hosts. The other approach can blind all of snort --- all preprocessors, all rules, everything --- to specific traffic; that's to use a bpf filter. These can be specified on the cmdline (that's the optional "expression" that can be at the end of the cmdline), or in a file named by the -F option on the cmdline. Pack filtering specified by BPF rules happens before snort sees the packets, to it completely blinds snort to whatever the rules elect to drop. I dabbled a bit with the above, but I ended up disabling the preprocessors that were inflicting false-positives on me. -Bennett
Attachment:
_bin
Description:
Current thread:
- Pass rule not passing preprocessors Always Bishan (Apr 20)
- Re: Pass rule not passing preprocessors Bennett Todd (Apr 20)
- Re: Pass rule not passing preprocessors Chris Green (Apr 21)