[Snort-users] Help with pass rule

francisv at ...6732... francisv at ...6732...
Thu Aug 29 17:03:22 EDT 2002


But I'm sure what Snort is catching is an alert based on the ACID report :|

-----Original Message-----
From: Erek Adams [mailto:erek at ...577...] 
Sent: Thursday, August 29, 2002 10:32 PM
To: francisv at ...6732...
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Help with pass rule

On Thu, 29 Aug 2002 francisv at ...6732... wrote:

> I have defined the following:
>
> 	var HOME_NET 192.168.0.0/22
> 	var SERVERS_NET 192.168.1.128/25
> 	var DIALUP_NET 192.168.1.0/25
> 	var EXTERNAL_NET !$HOME_NET
>
> However, there are still things that are not clear to me. If I changed the
> ordering of snort to pass->alert->log instead of alert->pass->log using
> option "o", why do I still get alerts from scan proxy/socks alert even if
I
> allowed it to pass?
>
> 	pass tcp $EXTERNAL_NET any -> $HOME_NET 8080
> 	pass tcp $EXTERNAL_NET any -> $HOME_NET 3128
> 	pass tcp $EXTERNAL_NET any -> $HOME_NET 1080
>
> Is it a bug or a feature?

Feature.  :)

If you look you'll see that what generated those alerts isn't a rule, but a
preprocessor.  spp_portscan or spp_portscan2 aren't affected by the pass
rules.  They only use the portscan_ignorehosts config option.

If you would like to ignore this traffic and lighten the load on snort, then
use a BPF filter.  Start snort with somthing like "snort <your options> 'not
(net 192.168.1.128/25 and port 1080) and not (net 192.168.1.0/25 amd port
3128)'".  See the tcpdump man page for more info on how to write the BPF
filters.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net




More information about the Snort-users mailing list