Snort mailing list archives
RE: Setting Up Policy-Based.rules file
From: "Kaplan, Andrew H." <AHKAPLAN () PARTNERS ORG>
Date: Mon, 3 Nov 2003 12:35:50 -0500
Hi Matt -- Thanks for your reply. 1. I do want to exclude the entire tcp/ip range, including port 65535, in both directions. Following your advice, I reconfigured the policy file so it now reads: pass ip 10.1.0.0/24 any <> 145.143.24.45 any 2. I didn't realize that including lines for tcp and udp after ip would be redundant. My understanding was that each protocol had to be treated separately. Since, as you said, IP is a blanket covering TCP, UDP, as well as IP, I commented out the pass lines that reference the two Layer Four protocols. 3. If I modify the rules file to no longer be a blanket. Can the coverage be split into several lines that do not include the port to be monitored? For example, if I want to monitor port number 4589, could the rules file have the following lines: pass ip 10.1.0.0/24 any <> 145.143.24.45 0:4588 pass ip 10.1.0.0/24 any <> 154.143.24.45 4590:65535 Thanks. -----Original Message----- From: Matt Kettler [mailto:mkettler () evi-inc com] Sent: Monday, November 03, 2003 12:04 PM To: Kaplan, Andrew H.; 'snort-users () lists sourceforge net' Cc: Wolfgang, John A. Subject: Re: [Snort-users] Setting Up Policy-Based.rules file At 11:02 AM 11/3/2003, Kaplan, Andrew H. wrote:
1. I don't want, initally, to monitor any traffic going from the 10.1.0.0 network to any TCP/IP port on the server 145.143.24.45. Therefore would the following statements work? pass ip 10.1.0.0/24 any -> 145.143.24.45 0:65534 pass tcp 10.1.0.0/24 any -> 145.143.24.45 0:65534 pass udp 10.1.0.0/24 any -> 145.143.24.45 0:65534
why are you excluding port 65535? if you really mean any port, I'd suggest saying 'any' instead of a range. Also, above you stated you wanted to exclude tcp/ip.. but here you've explicitly got udp included as well as a blanket for all IP.. so do you want to exclude _all_ IP, or just tcp/ip? Also, do you only want to pass traffic flowing to that server, or traffic flowing in both directions? I'd suggest this pass rule to blanket-cover everything IP flowing between 10.1.0.* and 145.143.24.45: pass ip 10.1.0.0/24 any <> 145.143.24.45 any To do an additional pass of tcp and udp is redundant. If you only want to pass traffic from 10.1.0.* to the server, and not pass replies, use -> instead of <>. Also be sure to pass -o parameter to snort.
2. If I want, at a later date, to monitor particular port traffic, do I add the ports I want to monitor AFTER the blanket range shown in item 1, or do I add them BEFORE it?
You will need to modify your pass rule to no longer be a blanket.. It doesn't matter which order the rules are in, if you pass the -o parameter to snort ALL pass rules will occur before ALL other rules.. if you don't pass -o to snort, then ALL alert rules will be run before any pass rules are run.. Thus to snort, it never matters if an alert rule comes before or after a pass rule in the config file, there's a precedence behavior for the rule type where one will always occur before the other, no matter what order they are in. ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Setting Up Policy-Based.rules file Kaplan, Andrew H. (Nov 03)
- Message not available
- Re: Setting Up Policy-Based.rules file Matt Kettler (Nov 03)
- Message not available
- <Possible follow-ups>
- RE: Setting Up Policy-Based.rules file Kaplan, Andrew H. (Nov 03)