Re: non TCP/UDP/ICMP pass rules not working?

[Russ Combs <rcombs () sourcefire com>]

I've recreated it and it looks like it isn't working as it should.  I'm
opening a bug on this.

As a workaround you can try suppressing the alerts.

Thanks for reporting the problem.
Russ

On Fri, Jan 28, 2011 at 9:11 PM, <DTakemori () thdfsg com> wrote:

> Hi,
>
> I'm trying to configure snort to alert on "unknown" IPSEC traffic on a
> network,
> I have the following setup:
>
> ]# snort --version
>
> >   ,,_     -*> Snort! <*-
> >  o"  )~   Version 2.9.0.3 (Build 98)
> >   ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
> >           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
> >           Using libpcap version 1.1.1
> >           Using PCRE version: 6.6 06-Feb-2006
> >           Using ZLIB version: 1.2.3
>
>
> In snort.conf :
> config order: pass activation dynamic drop sdrop reject alert log
> output alert_csv: alert.csv
>
> In local.rules:
> pass ip XXX.XXX.XXX.100 any <> XXX.XXX.XXX.101 any (ip_proto:50;
> sid:1000000; rev:1;)
> pass ip XXX.XXX.XXX.100 any -> XXX.XXX.XXX.101 any (ip_proto:50;
> sid:1000001; rev:1;)
> pass ip XXX.XXX.XXX.101 any -> XXX.XXX.XXX.100 any (ip_proto:50;
> sid:1000002; rev:1;)
> pass ip [XXX.XXX.XXX.100,XXX.XXX.XXX.101] any -> XXX.XXX.XXX.100 any
> (ip_proto:50; sid:1000003; rev:1;)
> pass ip XXX.XXX.XXX.100 any -> [XXX.XXX.XXX.100,XXX.XXX.XXX.101] any
> (ip_proto:50; sid:1000004; rev:1;)
> pass ip [XXX.XXX.XXX.100,XXX.XXX.XXX.101] any <>
> [XXX.XXX.XXX.100,XXX.XXX.XXX.101] any (ip_proto:50; sid:1000005; rev:1;)
> pass ip XXX.XXX.XXX.100 any <> any any (ip_proto:50; sid:1000006; rev:1;)
> pass ip XXX.XXX.XXX.101 any <> any any (ip_proto:50; sid:1000007; rev:1;)
>
> alert ip any any -> any any (msg:"Unknown IP protocol 50 traffic";
> ip_proto:50; classtype:non-standard-protocol; sid:2000000; rev:1;)
>
> I know the rules are highly redundant, but I've tried them separately and
> in various combinations
> to no avail.  I still get alerts like this:
>
>
> 01/28-15:53:43.759947 ,1,2000000,1,"Unknown IP protocol 50
> traffic",,XXX.XXX.XXX.100,,XXX.XXX.XXX.101,, etc etc ...
>
>
> Am I misunderstanding how the pass rules are supposed to work?  Is there
> some precedence other than the config order: that's taking place?  Note
> that I'm
> having similar problems with other ip_protocols as well
>
>
> Dean Takemori
> Systems Support Supervisor
> TD Food Group
> dtakemori () thdfsg com
>
> ------------------------------------------------------------------------------
> The modern datacenter depends on network connectivity to access resources
> and provide services. The best practices for maximizing a physical server's
> connectivity to a physical network are well understood - see how these
> rules translate into the virtual world?
> http://p.sf.net/sfu/oracle-sfdevnlfb
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world? 
http://p.sf.net/sfu/oracle-sfdevnlfb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users