[Snort-devel] Patch

Tim Saunders Tim.Saunders at ...2322...
Tue Jan 13 01:54:01 EST 2004


Please find attached a very basic patch for snort. This patch is against
snort 2.0.5.

The patch adds a -Z command line switch to change the rule application
order to Pass, Log then Alert. There is not particular reason I chose Z
so I don't mind if anyone wants to change it.

The reason I require this rule application order is because I have snort
running on what should be a totally internal subnet (i.e. no connections
are allowed in). Unfortunatly there is one  public server in this range.
Thus for a rule such as an IIS attempted attack I want snort to alert on
all addresses in the subnet except the public server where it should log
the attempt. The log rule is easy to setup but the alert rule is a
little more tricky. I can't set the destination to
[!10.1.1.5,10.1.0.0/16] because snort will still match on the second
part (in 2.0.1 at least). I can use the -o option and put a pass rule in
for 10.1.1.5 but this will not log the attack.

I realise the -o (and my new -Z) option(s) are not the best solution but
changing snorts interpretation of [!10.1.1.5,10.1.0.0/16] would require
a lot more time than I have.

I have tested this patch on two production (2.0.1) snort servers as well
as my own (2.0.5) test server.

I can certify that this patch is all my own work and that the company I
work for own the copyright and are happy for me to release it back to
the community as they have to under the GPL.

Tim Saunders


 <<snort.diff>> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.diff
Type: application/octet-stream
Size: 3245 bytes
Desc: snort.diff
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20040113/f8e0d7b3/attachment.obj>


More information about the Snort-devel mailing list