[Snort-users] Same source/dest

Erek Adams erek at ...950...
Wed Apr 2 09:05:05 EST 2003


On Wed, 2 Apr 2003, Brei, Matt wrote:

> That's exactly what I did.  I'll refer you to my first post seen below.
>
>   pass ip 10.13.110.254 53 -> 10.13.110.254 1026 (msg:"BAD TRAFFIC
> > same SRC/DST"; sameip; reference:cve,CVE-1999-0016;
> > reference:url,www.cert.org/advisories/CA-1997-28.html;
> > classtype:bad-unknown; sid:527; rev:3;)

Remove the extra stuff.  It's not needed, and you're 'reusing' a SID which
you shouldn't do.  You can shorten all that to:

	pass ip 10.13.110.254 53 -> 10.13.110.254 1026

If 1026 is what port it always hits on.  If it varries, then change it to:

	pass ip 10.13.110.254 53 -> 10.13.110.254 any

I'm assuming that this is DNS traffic.  To reduce the chance of something
bad slipping by you could make it:

	pass udp 10.13.110.254 53 -> 10.13.110.254 any

One thing to think about:  If you're seeing a lot of traffic of this type,
instead of using a pass rule, use a BPF filter.  By using the BPF filter,
you are stopping the packets from ever getting into Snort.  As minor as
that sounds, that can save you CPU cycles which is a good thing.  It
eliminates the need for the reading and parsing the pass rules, and the
comparisions to see if it should be passed.  On a heavily loaded network,
that could be a significant savings.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list