Re: Same source/dest

[Keg <snrtlst () netscape net>]

Sorry guys for the question but how do I write the pass rule? Should a 
create the file and name it as pass.rules or should I simply add the 
following to the local rules.?

pass ip 10.13.110.254 53 -> 10.13.110.254 any 



Erek Adams wrote:

> On Wed, 2 Apr 2003, Brei, Matt wrote:
>
>  
>
> > That's exactly what I did.  I'll refer you to my first post seen below.
> >
> >  pass ip 10.13.110.254 53 -> 10.13.110.254 1026 (msg:"BAD TRAFFIC
> >    
> >
> > > same SRC/DST"; sameip; reference:cve,CVE-1999-0016;
> > > reference:url,www.cert.org/advisories/CA-1997-28.html;
> > > classtype:bad-unknown; sid:527; rev:3;)
> > >      
>
> Remove the extra stuff.  It's not needed, and you're 'reusing' a SID which
> you shouldn't do.  You can shorten all that to:
>
>    pass ip 10.13.110.254 53 -> 10.13.110.254 1026
>
> If 1026 is what port it always hits on.  If it varries, then change it to:
>
>    pass ip 10.13.110.254 53 -> 10.13.110.254 any
>
> I'm assuming that this is DNS traffic.  To reduce the chance of something
> bad slipping by you could make it:
>
>    pass udp 10.13.110.254 53 -> 10.13.110.254 any
>
> One thing to think about:  If you're seeing a lot of traffic of this type,
> instead of using a pass rule, use a BPF filter.  By using the BPF filter,
> you are stopping the packets from ever getting into Snort.  As minor as
> that sounds, that can save you CPU cycles which is a good thing.  It
> eliminates the need for the reading and parsing the pass rules, and the
> comparisions to see if it should be passed.  On a heavily loaded network,
> that could be a significant savings.
>
> Cheers!
>
> -----
> Erek Adams
>
>   "When things get weird, the weird turn pro."   H.S. Thompson
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: ValueWeb: 
> Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
> No other company gives more support or power for your dedicated server
> http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>  

--
Your favorite stores, helpful shopping tools and great gift ideas. 
Experience the convenience of buying online with Shop@Netscape! 
http://shopnow.netscape.com/




-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users