[Snort-users] Help with pass rule

francisv at ...6732... francisv at ...6732...
Wed Aug 28 17:21:03 EDT 2002


Erek,

I have defined the following:

	var HOME_NET 192.168.0.0/22
	var SERVERS_NET 192.168.1.128/25
	var DIALUP_NET 192.168.1.0/25
	var EXTERNAL_NET !$HOME_NET

However, there are still things that are not clear to me. If I changed the
ordering of snort to pass->alert->log instead of alert->pass->log using
option "o", why do I still get alerts from scan proxy/socks alert even if I
allowed it to pass?

	pass tcp $EXTERNAL_NET any -> $HOME_NET 8080
	pass tcp $EXTERNAL_NET any -> $HOME_NET 3128
	pass tcp $EXTERNAL_NET any -> $HOME_NET 1080

Is it a bug or a feature?

-----Original Message-----
From: Erek Adams [mailto:erek at ...577...] 
Sent: Thursday, August 29, 2002 1:15 AM
To: francisv at ...6732...
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Help with pass rule

On Wed, 28 Aug 2002 francisv at ...6732... wrote:

> I have the following line:
>
> 	preprocessor portscan-ignorehosts: $HOME_NET
>
> in my snort.conf file. Is portscan-ignorehosts directly related to scan
> attempts?

Yes.  It's part of the portscan preprocessor.  It tells the plugin what IP's
to ignore 'scans' from.  The logic of portscan is something like "If you see
over X connections to a port or multiple ports in Y seconds, then it's a
portscan."  DNS servers can set it off if it's not setup right.

You may want to change your HOME_NET and EXTERNAL_NET values, depending on
how
you see your network.  If SERVER_NET is also HOME_NET then I would define
EXTERNAL_NET as !$HOME_NET.  That would set it to every IP except your
HOME_NET.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net




More information about the Snort-users mailing list