[Snort-users] Pass Rules Questions

Matt Kettler mkettler at ...4108...
Thu Jan 30 12:48:03 EST 2003

First, pass rules will not affect spp_portscan2, or any other preprocessor. 
Pass rules affect the traffic seen by other rules. If you want to filter 
stuff so that the preprocessors don't see them, you'll have to do that with 
bpf type filtering.

Now the source of the "scan" is  www.xxx.yyy.zzz..  but that's not part of 

Thus,  www.xxx.yyy.zzz is being reported as scanning because the pass rule 
does not affect preprocessors, and the source of the scan is not in your 
ignore set.

That said, I've been having considerable difficulty making spp_portscan2 
behave in a sane manner. It fires off as detecting a "syn-ack" scan every 
time a web browser in my network opens a web-page with more embedded images 
than the port_limit in the portscan2 preprocessor is set to, somehow 
neglecting to pay attention to the fact that the connection was initaited 
from HOME_NET first. I've actually disabled portscan2 in favor of spade 
which is much more flexible, and reasonable about it's behavior.

At 01:22 PM 1/30/2003 -0600, Demetri Mouratis wrote:
>I've got a problem with some pass rules that don't seem to be passing.
>Snort is v1.9.0, I'm running it on a stealth interface (eth1) connected to
>a monitoring port on my switch.
>I'd like snort to ignore traffic to and from port 25.  Here
>are the two rules I've added to local.rules to accomplish this:
>pass tcp $HOME_NET 1025:65535 <> any 25
>pass tcp $HOME_NET 25 <> any 1025:65535
>HOME_NET is defined in snort.conf:
>var HOME_NET [aaa.bbb.ccc.ddd/24,eee.fff.ggg.hhh/26,iii.jjj.kkk.lll/28]
>Snort is invoked thusly:
>/usr/local/bin/snort-b -d -D -o -i eth1 -c /etc/snort/snort.conf
>Looking through my ACID logs:
>(spp_portscan2) Portscan detected from www.xxx.yyy.zzz:
>1 targets 21 ports in 58 seconds
>2003-01-30 13:02:34-06
>SRC: www.xxx.yyy.zzz:25
>DST aaa.bbb.ccc.ddd:34722
>Additionally, in snort.conf, I've defined:
>preprocessor portscan2-ignorehosts: $IGNORE_PORTSCAN
>Any guidance greatly appreciated.
>Demetri Mouratis
>dmourati at ...3878...
>This SF.NET email is sponsored by:
>SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list