[Snort-users] Pass rule sometimes does not work

Hess, Ben ben.hess at ...7996...
Tue Jan 14 09:06:03 EST 2003


I read the FAQ and the question that I have is how does it determine the
order in which the OTNs are placed? Just for reference below are the rules I
am working on.

var CALENDAR [10.100.4.25,10.100.4.27,10.100.4.24]
pass tcp $EXTERNAL_NET any -> $CALENDAR $HTTP_PORTS ( sid: 1000005; rev: 2;
msg: "WEB-CGI calendar access"; flow: to_server,established;  uricontent:
"/calendar"; nocase;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( sid: 882; rev: 4;
msg: "WEB-CGI calendar access"; flow: to_server,established; uricontent:
"/calendar"; nocase; classtype: attempted-recon;)

-----Original Message-----
From: Erick Mechler [mailto:emechler at ...7719...]
Sent: Tuesday, January 14, 2003 9:30 AM
To: Hess, Ben
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Pass rule sometimes does not work


:: I have a web server that allows use of the CGI calendar feature on some
of
:: the web sites. I wrote a pass rule that should allow the traffic to not
be
:: picked up but every so often I get an alert from one of the allowed
:: addresses. Does anyone know where I should look to troubleshoot this
issue?

Check out Section 3.13 of the FAQ.  It might explain why your rule doesn't
do what you think it should.  http://www.snort.org/docs/faq.html#3.13 If
that doesn't answer your question, send us the relevant rules and we'll see
what we can find.

Cheers - Erick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030114/68d6c63c/attachment.html>


More information about the Snort-users mailing list