[Snort-users] catch all rule

Graham M Locke graham at ...2320...
Tue Jun 19 06:46:55 EDT 2001


On Date: Tue, 18 Jun 2002 09:17:56 +0200 (CEST), barre wrote:

> In the following example , I want to protect my dmz and will make a
> "alert" rule for all traffic from and to my dmz.
> 
> alert any any any -> any any (msg: \"tcp dmz traffic";)
> 
> But in this case, alerts will be generated when people access my
> webserver. So I make this nice pass rule to grant access to my webserver.

> 
> pass tcp !MY_NET any -> webserver 80
> 
> Because this pass rule is applied below the alert rule, I have to use the

> -o option, to make sure that this previous rule makes an exception to the

> other rules.
> 
> But in this scenario, I don't check the content of the pass rule for
> malicious traffic using the other alert rules. But if I delete the pass
> rule, it triggers the "catch all other traffic" rule.
> 
> Therefor: is there an other way to implement a "catch all traffic"
> rule? Using this rule, you can write rules for all
> allowed traffic , and alert for all non-defined traffic. All other
> signatures (http malicious traffic for example) will still be applied to
> all traffic, even if they are in the pass or catch all rules.
> 
> Someone has an idea?
> 
> Thanks a lot.
> 
> barre

Try: alert tcp !MY_NET any -> any !80 (msg: \"tcp dmz traffic";)
and: alert udp !MY_NET any -> any !80 (msg: \"udp dmz traffic";)

Which says 'alert on protocol NOT from my network -> any network NOT port 80'

and you wont need the -o switch.

You were 95% there with your pass rule.

Regards

Graham.






More information about the Snort-users mailing list