[Snort-users] Help with pass rule
erek at ...577...
Thu Aug 29 07:32:06 EDT 2002
On Thu, 29 Aug 2002 francisv at ...6732... wrote:
> I have defined the following:
> var HOME_NET 192.168.0.0/22
> var SERVERS_NET 192.168.1.128/25
> var DIALUP_NET 192.168.1.0/25
> var EXTERNAL_NET !$HOME_NET
> However, there are still things that are not clear to me. If I changed the
> ordering of snort to pass->alert->log instead of alert->pass->log using
> option "o", why do I still get alerts from scan proxy/socks alert even if I
> allowed it to pass?
> pass tcp $EXTERNAL_NET any -> $HOME_NET 8080
> pass tcp $EXTERNAL_NET any -> $HOME_NET 3128
> pass tcp $EXTERNAL_NET any -> $HOME_NET 1080
> Is it a bug or a feature?
If you look you'll see that what generated those alerts isn't a rule, but a
preprocessor. spp_portscan or spp_portscan2 aren't affected by the pass
rules. They only use the portscan_ignorehosts config option.
If you would like to ignore this traffic and lighten the load on snort, then
use a BPF filter. Start snort with somthing like "snort <your options> 'not
(net 192.168.1.128/25 and port 1080) and not (net 192.168.1.0/25 amd port
3128)'". See the tcpdump man page for more info on how to write the BPF
More information about the Snort-users