[Snort-users] Pass rule not passing preprocessors

Bennett Todd bet at ...6163...
Sun Apr 20 10:20:04 EDT 2003


2003-04-20T03:20:21 Always Bishan:
> Now by writing this pass rule I'm able to avoid any
> alerts from my rules directory, but preprocessors are
> still generating alerts. 

That's right. Preprocessors are applied before rules --- including
pass rules.

> Is there anyway to avoid this?

There are only two possible ways to blind preprocessors to certain
traffic. For certain preprocessors (e.g. portscan, portscan2)
there's a corresponding "-ignorehosts" preprocessor
(portscan-ignorehosts, portscan2-ignorehosts respectively) that
allows blinding just that preprocessor to a list of hosts.

The other approach can blind all of snort --- all preprocessors, all
rules, everything --- to specific traffic; that's to use a bpf
filter. These can be specified on the cmdline (that's the optional
"expression" that can be at the end of the cmdline), or in a file
named by the -F option on the cmdline. Pack filtering specified by
BPF rules happens before snort sees the packets, to it completely
blinds snort to whatever the rules elect to drop.

I dabbled a bit with the above, but I ended up disabling the
preprocessors that were inflicting false-positives on me.

-Bennett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030420/2d599ad2/attachment.sig>


More information about the Snort-users mailing list