Snort mailing list archives
PASS rule not working?
From: Loïc Etienne <loic.etienne () cern ch>
Date: Tue, 4 Aug 2009 11:35:31 +0200
Hello, We are using custom pass rules to disable alerts for some hosts/ports, but still get alerts for those... We are using Snort SP beta 2. Is there a problem with our rules? Rule order is "Rule application order: activation->dynamic->pass->drop->alert->log". Thanks in advance for your help! Details below: The pass rule: pass tcp any 1024: <> 83.231.216.140 8000 The alert rule: alert tcp any $IRC_PORTS -> any $IRC_PORTS ( \ msg:"IRC NICK command"; \ flow:established; \ content:"NICK"; offset:0; depth:256; \ pcre:"/^((\x3a[^\x00\x20\r\n]+\x20+)?\w+(\x20[^\x00\r\n]*)?\r?\n)*?(\x3a[^\x00\x20\r\n]+\x20+)?NICK\x20/is"; \ classtype:policy-violation; \ sid:3584011; rev:4; ) And the unexpected alert: [**] [1:3584011:4] IRC NICK command [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] 08/03/09-10:59:03.366483 137.xxx.xxx.xxx:2774 -> 83.231.216.140:8000 TCP TTL:124 TOS:0x0 ID:37448 IpLen:20 DgmLen:103 DF ***AP*** Seq: 0x335AA519 Ack: 0x7AC349AF Win: 0xFFFF TcpLen: 20 Cheers, Loïc Etienne ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- PASS rule not working? Loïc Etienne (Aug 04)
- Re: PASS rule not working? Joel Esler (Aug 04)
- Re: PASS rule not working? JJ Cummings (Aug 04)
- Re: PASS rule not working? Joel Esler (Aug 04)