[Snort-users] Pass Rules Questions

Demetri Mouratis dmourati at ...3877...
Thu Jan 30 14:06:03 EST 2003


Matt,

Thanks for the response.  I have been playing with spade as well and have
had even more trouble keeping its S/N ratio sane.

I like spp_portscan and spp_portscan2, they make sense to me and are
generally one alert for one portscan.

I'll go digging back through the spade documentation to see if I can
figure out how to limit the number of alarms to something reasonable.

Thanks.
On Thu, 30 Jan 2003, Matt Kettler wrote:

> First, pass rules will not affect spp_portscan2, or any other preprocessor.
> Pass rules affect the traffic seen by other rules. If you want to filter
> stuff so that the preprocessors don't see them, you'll have to do that with
> bpf type filtering.
>
> Now the source of the "scan" is  www.xxx.yyy.zzz..  but that's not part of
> your IGNORE_PORTSCAN set.
>
> Thus,  www.xxx.yyy.zzz is being reported as scanning because the pass rule
> does not affect preprocessors, and the source of the scan is not in your
> ignore set.
>
> That said, I've been having considerable difficulty making spp_portscan2
> behave in a sane manner. It fires off as detecting a "syn-ack" scan every
> time a web browser in my network opens a web-page with more embedded images
> than the port_limit in the portscan2 preprocessor is set to, somehow
> neglecting to pay attention to the fact that the connection was initaited
> from HOME_NET first. I've actually disabled portscan2 in favor of spade
> which is much more flexible, and reasonable about it's behavior.
>
>
> At 01:22 PM 1/30/2003 -0600, Demetri Mouratis wrote:
> >Hello,
> >
> >I've got a problem with some pass rules that don't seem to be passing.
> >
> >Snort is v1.9.0, I'm running it on a stealth interface (eth1) connected to
> >a monitoring port on my switch.
> >
> >I'd like snort to ignore traffic to and from port 25.  Here
> >are the two rules I've added to local.rules to accomplish this:
> >
> >pass tcp $HOME_NET 1025:65535 <> any 25
> >pass tcp $HOME_NET 25 <> any 1025:65535
> >
> >HOME_NET is defined in snort.conf:
> >
> >var HOME_NET [aaa.bbb.ccc.ddd/24,eee.fff.ggg.hhh/26,iii.jjj.kkk.lll/28]
> >
> >Snort is invoked thusly:
> >
> >/usr/local/bin/snort-b -d -D -o -i eth1 -c /etc/snort/snort.conf
> >
> >Looking through my ACID logs:
> >
> >(spp_portscan2) Portscan detected from www.xxx.yyy.zzz:
> >1 targets 21 ports in 58 seconds
> >
> >
> >2003-01-30 13:02:34-06
> >
> >SRC: www.xxx.yyy.zzz:25
> >
> >DST aaa.bbb.ccc.ddd:34722
> >
> >PROTO: TCP
> >
> >Additionally, in snort.conf, I've defined:
> >
> >var IGNORE_PORTSCAN $HOME_NET
> >preprocessor portscan2-ignorehosts: $IGNORE_PORTSCAN
> >
> >Any guidance greatly appreciated.
> >
> >Thanks.
> >---------------------------------------------------------------------
> >Demetri Mouratis
> >dmourati at ...3878...
> >
> >
> >
> >-------------------------------------------------------
> >This SF.NET email is sponsored by:
> >SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> >http://www.vasoftware.com
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

---------------------------------------------------------------------
Demetri Mouratis
dmourati at ...3878...





More information about the Snort-users mailing list