[Snort-users] ignore host for just a couple of rules, not all

Piers Williams PiersW at ...1865...
Tue Jun 19 09:45:11 EDT 2001


hmm, that just means you're going to have to write a whole bunch of pass
rules.
My problem is similar: the 'MISC source port 53 access to <1024' rule goes
off like _all_ the time.
	alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1024 (msg:"MISC source port
53 to <1023";flags:S; reference:arachnids,7;)
...and its all perfectly legit DNS traffic that sets it off.

I don't want to add 
	pass tcp any 53 -> dnsservers 53
as I still want the DNS traffic analysed for normal BIND attacks. So how to
exclude the DNS traffic from the rule, short of writing something like:
	alert tcp $EXTERNAL_NET 53 -> !$DNS_SERVERS :1024 (msg:"MISC source
port 53 to <1023";flags:S; reference:arachnids,7;)
	alert tcp $EXTERNAL_NET 53 -> $DNS_SERVERS :52 (msg:"MISC source
port 53 to <1023";flags:S; reference:arachnids,7;)	alert tcp
$EXTERNAL_NET 53 -> $DNS_SERVERS 54:1024 (msg:"MISC source port 53 to
<1023";flags:S; reference:arachnids,7;)

which seems a bit arse, not least because (!$DNS_SERVERS) != ($HOME_NET &&
!$DNS_SERVERS) as it were, as well as it involves editing the Misc.rules,
rather than the local.rules (ie: there's no clean way of me re-applying my
changes to the next ruleset release like there would be if all my
'overrides' were in local.rules)

BTW: Does snort chain the logic in IP ranges, ie would
	[$HOME_NET,!$DNS_SERVERS]	be all the homenet IP's that weren't
in the DNS_Servers range?

> -----Original Message-----
> From: Brian Caswell [mailto:bmc at ...312...]
> Sent: 15 June 2001 14:02
> To: Roeland Weve
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] ignore host for just a couple of rules, not
> all
> 
> 
> Roeland Weve wrote:
> > 47 45 54 20 2F 73 65 61 72 63 68 72 65 73 75 6C   GET /searchresul
> > 74 2F 2E 2E 2F 70 69 78 2F 6E 61 76 2F 6D 6F 5F   t/../pix/nav/mo_
> > 30 5F 61 2E 67 69 66 20 48 54 54 50 2F 31 2E 30   0_a.gif HTTP/1.0
> > 0D 0A 52 65 66 65 72 65 72 3A 20 68 74 74 70 3A   ..Referer: http:
> > 
> > I now exlude this host via:
> > pass tcp any any -> hostip 80
> 
> pass tcp any any -> hostip 80 (msg:"pass /../ where acceptable";
> uricontent:"/../"; flags:A+;)




More information about the Snort-users mailing list