[Snort-users] Same source/dest
snrtlst at ...2792...
Wed Apr 2 09:38:10 EST 2003
Sorry guys for the question but how do I write the pass rule? Should a
create the file and name it as pass.rules or should I simply add the
following to the local rules.?
pass ip 10.13.110.254 53 -> 10.13.110.254 any
Erek Adams wrote:
>On Wed, 2 Apr 2003, Brei, Matt wrote:
>>That's exactly what I did. I'll refer you to my first post seen below.
>> pass ip 10.13.110.254 53 -> 10.13.110.254 1026 (msg:"BAD TRAFFIC
>>>same SRC/DST"; sameip; reference:cve,CVE-1999-0016;
>>>classtype:bad-unknown; sid:527; rev:3;)
>Remove the extra stuff. It's not needed, and you're 'reusing' a SID which
>you shouldn't do. You can shorten all that to:
> pass ip 10.13.110.254 53 -> 10.13.110.254 1026
>If 1026 is what port it always hits on. If it varries, then change it to:
> pass ip 10.13.110.254 53 -> 10.13.110.254 any
>I'm assuming that this is DNS traffic. To reduce the chance of something
>bad slipping by you could make it:
> pass udp 10.13.110.254 53 -> 10.13.110.254 any
>One thing to think about: If you're seeing a lot of traffic of this type,
>instead of using a pass rule, use a BPF filter. By using the BPF filter,
>you are stopping the packets from ever getting into Snort. As minor as
>that sounds, that can save you CPU cycles which is a good thing. It
>eliminates the need for the reading and parsing the pass rules, and the
>comparisions to see if it should be passed. On a heavily loaded network,
>that could be a significant savings.
> "When things get weird, the weird turn pro." H.S. Thompson
>This SF.net email is sponsored by: ValueWeb:
>Dedicated Hosting for just $79/mo with 500 GB of bandwidth!
>No other company gives more support or power for your dedicated server
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
Your favorite stores, helpful shopping tools and great gift ideas.
Experience the convenience of buying online with Shop at ...2793...!
More information about the Snort-users