[Snort-users] Same source/dest

Keg snrtlst at ...2792...
Wed Apr 2 09:38:10 EST 2003


Sorry guys for the question but how do I write the pass rule? Should a 
create the file and name it as pass.rules or should I simply add the 
following to the local rules.?

pass ip 10.13.110.254 53 -> 10.13.110.254 any 



Erek Adams wrote:

>On Wed, 2 Apr 2003, Brei, Matt wrote:
>
>  
>
>>That's exactly what I did.  I'll refer you to my first post seen below.
>>
>>  pass ip 10.13.110.254 53 -> 10.13.110.254 1026 (msg:"BAD TRAFFIC
>>    
>>
>>>same SRC/DST"; sameip; reference:cve,CVE-1999-0016;
>>>reference:url,www.cert.org/advisories/CA-1997-28.html;
>>>classtype:bad-unknown; sid:527; rev:3;)
>>>      
>>>
>
>Remove the extra stuff.  It's not needed, and you're 'reusing' a SID which
>you shouldn't do.  You can shorten all that to:
>
>    pass ip 10.13.110.254 53 -> 10.13.110.254 1026
>
>If 1026 is what port it always hits on.  If it varries, then change it to:
>
>    pass ip 10.13.110.254 53 -> 10.13.110.254 any
>
>I'm assuming that this is DNS traffic.  To reduce the chance of something
>bad slipping by you could make it:
>
>    pass udp 10.13.110.254 53 -> 10.13.110.254 any
>
>One thing to think about:  If you're seeing a lot of traffic of this type,
>instead of using a pass rule, use a BPF filter.  By using the BPF filter,
>you are stopping the packets from ever getting into Snort.  As minor as
>that sounds, that can save you CPU cycles which is a good thing.  It
>eliminates the need for the reading and parsing the pass rules, and the
>comparisions to see if it should be passed.  On a heavily loaded network,
>that could be a significant savings.
>
>Cheers!
>
>-----
>Erek Adams
>
>   "When things get weird, the weird turn pro."   H.S. Thompson
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: ValueWeb: 
>Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
>No other company gives more support or power for your dedicated server
>http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>  
>

-- 
Your favorite stores, helpful shopping tools and great gift ideas. 
Experience the convenience of buying online with Shop at ...2793...! 
http://shopnow.netscape.com/






More information about the Snort-users mailing list