[Snort-users] catch all rule
Graham M Locke
graham at ...2320...
Tue Jun 19 06:46:55 EDT 2001
On Date: Tue, 18 Jun 2002 09:17:56 +0200 (CEST), barre wrote:
> In the following example , I want to protect my dmz and will make a
> "alert" rule for all traffic from and to my dmz.
> alert any any any -> any any (msg: \"tcp dmz traffic";)
> But in this case, alerts will be generated when people access my
> webserver. So I make this nice pass rule to grant access to my webserver.
> pass tcp !MY_NET any -> webserver 80
> Because this pass rule is applied below the alert rule, I have to use the
> -o option, to make sure that this previous rule makes an exception to the
> other rules.
> But in this scenario, I don't check the content of the pass rule for
> malicious traffic using the other alert rules. But if I delete the pass
> rule, it triggers the "catch all other traffic" rule.
> Therefor: is there an other way to implement a "catch all traffic"
> rule? Using this rule, you can write rules for all
> allowed traffic , and alert for all non-defined traffic. All other
> signatures (http malicious traffic for example) will still be applied to
> all traffic, even if they are in the pass or catch all rules.
> Someone has an idea?
> Thanks a lot.
Try: alert tcp !MY_NET any -> any !80 (msg: \"tcp dmz traffic";)
and: alert udp !MY_NET any -> any !80 (msg: \"udp dmz traffic";)
Which says 'alert on protocol NOT from my network -> any network NOT port 80'
and you wont need the -o switch.
You were 95% there with your pass rule.
More information about the Snort-users