Snort mailing list archives
Re: issue with 2.8.2
From: Joel Esler <joel.esler () mac com>
Date: Tue, 03 Jun 2008 21:02:01 -0400
Did you move pass rules to the front of evaluation, either through a config statement, or through -o at the command line? Joel On Jun 3, 2008, at 8:46 PM, Jason Haar wrote:
Hi there
I've just upgraded from 2.8.0.1 to 2.8.2 and an existing rule started
triggering that isn't meant to.
We have some DMZes which aren't meant to make unexpected outbound
connections, so we use "pass" rules to ignore/pass traffic that is
expected, and then trigger on everything else. Works well - until
today.
pass tcp $DMZES_NETS any -> any 53 (msg:"DMZ host doing DNS zone
transfer or large DNS lookup"; sid:3000023;rev:2;)
alert tcp $DMZES_NETS any -> any 26:79 (msg:"DMZ host attempting
outgoing connection to port range 26-79";flags:S;tag: session, 10,
packets;classtype:successful-admin;sid:1000007;rev:1;reference: url,
/secure/cvename.php?name=1000007;)
The DMZES_NETS contain hosts that do full Internet DNS lookups - which
means mostly UDP/DNS with the occasional TCP/DNS query.
What we are seeing today (since upgrading to 2.8.2) is alerts on
TCP-based DNS lookups. The alerts generated ("DMZ host attempting
outgoing connection to port range 26-79") have the SYN set, and are
TCP
port 53 - as above. And yet the previous 30000023 didn't trigger and
pass it...?
This is on CentOS4.6 systems - yes - it's triggering on multiple DMZes
and different snort servers.
Is this a bug, or has some logic changed that makes the above rule
combo
incorrect now? The DNS preprocessor is enabled if that matters...
Thanks!
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Joel Esler joel.esler () mac com http://blog.joelesler.net [m] ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- issue with 2.8.2 Jason Haar (Jun 03)
- Re: issue with 2.8.2 Joel Esler (Jun 03)
- Re: issue with 2.8.2 Jason Haar (Jun 03)
- Re: issue with 2.8.2 Joel Esler (Jun 03)
- Re: issue with 2.8.2 Jason Haar (Jun 03)
- <Possible follow-ups>
- Re: issue with 2.8.2 Jason Haar (Jun 04)
- Re: issue with 2.8.2 Jason Haar (Jun 05)
- Message not available
- Re: issue with 2.8.2 Jason Haar (Jun 05)
- Re: issue with 2.8.2 CunningPike (Jun 09)
- Message not available
- Re: issue with 2.8.2 Joel Esler (Jun 03)