[Snort-users] Quick Rule's Question...

James Hoagland hoagland at ...47...
Wed Mar 6 13:25:46 EST 2002


Hello Erek,

At 11:40 AM -0800 3/6/02, Erek Adams wrote:
>On Wed, 6 Mar 2002, Mark Taber wrote:
>
>[...snip...]
>
>>  (Rule that is in the web-misc file)
>>  alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (msg:"WEB-MISC 403
>>  Forbidden";flags: A+; content:"HTTP/1.1 403"; depth:12;
>>  classtype:attempted-recon; sid:1201; rev:2;)
>>
>>  (Rule that I am creating)
>>  pass tcp $HTTP_SERVERS 80 -> x.x.x.x (IP Of Server on my network)
>>  (msg:"WEB-MISC 403 Forbidden";flags: A+; content:"HTTP/1.1 403";
>>  depth:12; classtype:attempted-recon; sid:1201; rev:2;)
>
>You'll need a dst port listed on the dst side of the rule header.  In this
>case since it picks a random port, you'll need to use "any".  Since the pass
>function tells the parser to "stop here, I don't care about this packet", you
>could cut it down to:
>
>   pass tcp $HTTP_SERVERS 80 -> x.x.x.x any
>
>[If I'm wrong, somene jump in and clue-ify me!]

Well, you asked...

Not correct.  "pass" versus "alert" versus "log" only gets considered 
after the rule matches on some packet.  That is, the signature 
matching proceeds the same regardless of which of those 3 rule types 
is specified.  The parser does not do anything special with pass 
rules.  Just the signature matching code and then only after it finds 
a match.  (Order of rule application is a whole other discussion.)

As you pointed out, the trimmed down pass rule above will case all 
traffic from $HTTP_SERVERS port 80 to x.x.x.x to be ignored (at least 
for the purposes of the signature matching).  This is probably not 
what you want since this creates a sizable blind spot for you.  You 
want to create as specific a pass rule as possible that also 
eliminates your false positive (or other alerts you are not 
interested in).  In this case, it means keeping the same "()" pattern 
as in your original rule.  (You could also make it more specific if 
you don't want to pass on all 403 traffic between the hosts.)

[In Erek's tradition, let me say that I'm pretty sure what I said was 
correct, but would appreciate being clue'd in if not. :) ]

Best regards,

   Jim
-- 
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland at ...47..., http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|




More information about the Snort-users mailing list