[Snort-users] Part of traffic matching wrong rule
juergen.anthamatten at ...1171...
Thu Jun 19 09:14:55 EDT 2003
I'd like to alarm on tcp syn-ack packets sent back by a server which are
violating our policy.
Therefore I "pass" all allowed syn-ack traffic and then "alarm" on all other
This works almost fine. But for about 1% of the traffic, matching
theoretically the pass rule, this rule is not hitting and the alarm rule is triggering
Relevant configuration info:
Snort Version: 2.0.0
Rule application order: alert->pass->alarm
var HOME_NET 184.108.40.206/28
var UNIVERSE 0.0.0.0/0
var host1 220.127.116.11
pass tcp $host1 80 -> $UNIVERSE 1024: (flags: SA;)
alarm tcp $HOME_NET any -> $UNIVERSE any (flags: SA;
msg:"Forbidden synAck from HOME_NET";)
For about 99% of the syn-ack responses from 18.104.22.168.80 the rule is
matching as expected and no alarm is triggered.
But, as the following extract of the alarm-logfile shows, some packets
fitting theoretically the pass-rule, are not matching the pass-rule but the final
... 22.214.171.124.80 > 126.96.36.199.8888: S 2146395230:2146395230(0) ack
3671809919 win 32120 <mss 1460,nop,nop,sackOK> (DF)
Is this a missconfiguration, bug or feature?;-)?
TIA for any hints.....
+++ GMX - Mail, Messaging & more http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
More information about the Snort-users