[Snort-users] catch all rule

Vitaly Osipov vosipov at ...2096...
Tue Jun 19 05:05:19 EDT 2001


Why not use "log" instead of "alert"?

something like 

alert blahblahblah (standart snort rules)
pass tcp !MY_NET any -> webserver 80
log any any any -> any any (msg: \"tcp dmz traffic";)

this is the standart order without -o option

regards,
Vitaly



barre wrote:
> 
> Hello,
> 
> In the following example , I want to protect my dmz and will make a
> "alert"
> rule for all traffic from and to my dmz.
> 
> alert any any any -> any any (msg: \"tcp dmz traffic";)
> 
> But in this case, alerts will be generated when people access my
> webserver. So I make this nice pass rule to grant access to my webserver.
> 
> pass tcp !MY_NET any -> webserver 80
> 
> Because this pass rule is applied below the alert rule, I have to use the
> -o option, to make sure that this previous rule makes an exception to the
> other rules.
> 
> But in this scenario, I don't check the content of the pass rule for
> malicious traffic using the other alert rules. But if I delete the pass
> rule, it triggers the "catch all other traffic" rule.
> 
> Therefor: is there an other way to implement a "catch all traffic"
> rule? Using this rule, you can write rules for all
> allowed traffic , and alert for all non-defined traffic. All other
> signatures (http malicious traffic for example) will still be applied to
> all traffic, even if they are in the pass or catch all rules.
> 
> Someone has an idea?
> 
> Thanks a lot.
> 
> barre
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list