[Snort-users] catch all rule

Frank Knobbe FKnobbe at ...649...
Mon Jun 18 23:24:21 EDT 2001

Hash: SHA1

Uhm, how about running two instances of snort with different
configurations? One instance can monitor only the web traffic and
alert on exploits, the other can ignore web traffic and you can use
your catch-all rule in there.

It would be nice to have a rules checking priority system... wasn't
there talk about that for 1.8? If not, here's the suggestion :)  
Until then, running multiple instances will solve the problem.


> -----Original Message-----
> From: barre [mailto:barre at ...2303...]
> Sent: Tuesday, June 18, 2002 2:18 AM
> To: snort-users at lists.sourceforge.net
> In the following example , I want to protect my dmz and will make a
> "alert"
> rule for all traffic from and to my dmz.
> alert any any any -> any any (msg: \"tcp dmz traffic";)
> But in this case, alerts will be generated when people access my
> webserver. So I make this nice pass rule to grant access to 
> my webserver.
> pass tcp !MY_NET any -> webserver 80
> Because this pass rule is applied below the alert rule, I 
> have to use the
> -o option, to make sure that this previous rule makes an 
> exception to the
> other rules.
> But in this scenario, I don't check the content of the pass rule
> for malicious traffic using the other alert rules. But if I 
> delete the pass
> rule, it triggers the "catch all other traffic" rule.
> Therefor: is there an other way to implement a "catch all traffic"
> rule? Using this rule, you can write rules for all
> allowed traffic , and alert for all non-defined traffic. All other
> signatures (http malicious traffic for example) will still be 
> applied to
> all traffic, even if they are in the pass or catch all rules.

Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME encrypted email preferred.


More information about the Snort-users mailing list