[Snort-users] Snort Rule-framing

Sonika Malhotra sonikam at ...4044...
Mon Feb 4 04:01:04 EST 2002


Hello List,
    I need some help to frame a rule .
i am allowing packets for smtp and dns on my mail-cum-dns-server.so i
have 2 pass rules and 1 alert rule in my local.rules as follows.
pass tcp any any -> $SERVER 25
pass tcp any any -> $SERVER 53
alert tcp any any -> $SERVER any (msg: "Unusual Access on Server";)

and i run snort daemon with "-o" option set.(pass->alert->log)
This logs all packets for ports other than 25 and 53 in my log-file.

i have a doubt here, does the above setup means that all packets having
(smtp or dns)attack-signatures for port 25 and 53 will also be passed by
snort (without sending alerts) .In that case is there any other way of
implementing this policy.

Thanx.
SM.





More information about the Snort-users mailing list