[Snort-users] Help with pass rule

Erek Adams erek at ...577...
Thu Aug 29 07:32:06 EDT 2002


On Thu, 29 Aug 2002 francisv at ...6732... wrote:

> I have defined the following:
>
> 	var HOME_NET 192.168.0.0/22
> 	var SERVERS_NET 192.168.1.128/25
> 	var DIALUP_NET 192.168.1.0/25
> 	var EXTERNAL_NET !$HOME_NET
>
> However, there are still things that are not clear to me. If I changed the
> ordering of snort to pass->alert->log instead of alert->pass->log using
> option "o", why do I still get alerts from scan proxy/socks alert even if I
> allowed it to pass?
>
> 	pass tcp $EXTERNAL_NET any -> $HOME_NET 8080
> 	pass tcp $EXTERNAL_NET any -> $HOME_NET 3128
> 	pass tcp $EXTERNAL_NET any -> $HOME_NET 1080
>
> Is it a bug or a feature?

Feature.  :)

If you look you'll see that what generated those alerts isn't a rule, but a
preprocessor.  spp_portscan or spp_portscan2 aren't affected by the pass
rules.  They only use the portscan_ignorehosts config option.

If you would like to ignore this traffic and lighten the load on snort, then
use a BPF filter.  Start snort with somthing like "snort <your options> 'not
(net 192.168.1.128/25 and port 1080) and not (net 192.168.1.0/25 amd port
3128)'".  See the tcpdump man page for more info on how to write the BPF
filters.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list