[Snort-users] Help with pass rule

francisv at ...6732... francisv at ...6732...
Tue Aug 27 23:31:04 EDT 2002


Hi,

I have the following configuration:

var HOME_NET 192.168.0.0/22
var SERVER_NET 192.168.1.128/25
var DIALUP_NET 192.168.1.0/25
var EXTERNAL_NET !$HOME_NET

# Ignore traffic coming from $SERVER_NET
pass ip $SERVER_NET any -> $EXTERNAL_NET any
pass tcp $SERVER_NET any -> $EXTERNAL_NET any
pass udp $SERVER_NET any -> $EXTERNAL_NET any
pass icmp $SERVER_NET any -> $EXTERNAL_NET any

# Ignore scan proxy attempts
pass tcp $EXTERNAL_NET any -> $HOME_NET 3128
pass tcp $EXTERNAL_NET any -> $HOME_NET 8080
pass tcp $EXTERNAL_NET any -> $HOME_NET 1080

The idea is to ignore traffic coming from the $SERVER_NET block going out
and ignore scan attempts from outside going inside $HOME_NET. The problem is
I still see alerts for scan proxy attempts from outside. This is how I run
snort:

	/usr/local/bin/snort -Dko -c /usr/local/etc/snort.conf

---
 francis a. vidal [bitstop network services] | http://www.bitstop.ph
 streaming media + web hosting               | http://www.keystone.ph
 v(02)330-2871,(02)330-2872; f(02)330-2873   | http://www.kuro.ph 





More information about the Snort-users mailing list