Snort mailing list archives
Re: newbie question about pass and alert directive
From: waldo kitty <wkitty42 () windstream net>
Date: Sat, 23 Feb 2013 10:27:31 -0500
On 2/22/2013 16:45, Jason Wallace wrote:
No, I think what Federico said was correct, because the first rule is a pass rule, not an alert rule.
erk! i didn't even catch that... my bad :( i only ever work with alert rules because we use external processes to handle ip blocking and such based on the alerts from snort...
1) pass tcp $HOME_NET any -> any any (msg:"test rule 2"; *flag:A*; classtype:not-suspicious; sid:10000013; rev:1;) 2) alert tcp $HOME_NET any -> any any (msg:"BOGUS NULL TROJAN";*flags:A*; content:"bogus trojan"; nocase; classtype:trojan-activity; sid:10000014; rev:1;) the rule at point 2 will be ignored cause rule at point 1 tell snort to ignore every tcp packet with flag ACK active ?If the response order is set to process pass rules before alert rules, then yes, the second rule will never fire.
that rule processing order something else we never mess with, too...
On Fri, Feb 22, 2013 at 12:22 PM, waldo kitty<wkitty42 () windstream net> wrote:On 2/22/2013 04:27, . wrote:another question: writing these rules: 1) pass tcp $HOME_NET any -> any any (msg:"test rule 2"; *flag:A*; classtype:not-suspicious; sid:10000013; rev:1;) 2) alert tcp $HOME_NET any -> any any (msg:"BOGUS NULL TROJAN";*flags:A*; content:"bogus trojan"; nocase; classtype:trojan-activity; sid:10000014; rev:1;) the rule at point 2 will be ignored cause rule at point 1 tell snort to ignore every tcp packet with flag ACK active ?no... the first rules doesn't tell snort to do anything other than alert based on the ACK flag... the second rule will fire if there is content "bogus trojan" and the ACK flag... the question is will such a packet as the second rule is looking for exist...
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- newbie question about pass and alert directive . (Feb 22)
- Re: newbie question about pass and alert directive waldo kitty (Feb 22)
- Re: newbie question about pass and alert directive Jason Wallace (Feb 22)
- Re: newbie question about pass and alert directive waldo kitty (Feb 23)
- Re: newbie question about pass and alert directive Jason Wallace (Feb 22)
- Re: newbie question about pass and alert directive waldo kitty (Feb 22)