[Snort-users] Part of traffic matching wrong rule
slave_tothe_box at ...131...
Tue Jun 24 11:46:26 EDT 2003
--- Juergen Anthamatten <juergen.anthamatten at ...158...>
> I have the strange behaviour in snort that part of
> the traffic is matching
> the wrong rule.
> The details:
> I'd like to alarm on tcp syn-ack packets sent back
> by a server violating
> our policy. Therefore I "pass" all allowed syn-ack
> traffic and then I
> "alarm" on all other syn-ack packets.
> This works almost fine, except for about 1% of the
> traffic, matching
> theoretically the pass rule, this rule is not
> hitting and the alarm rule
> is triggering instead.
> Relevant configuration info:
> Snort Version: 2.0.0
> Rule application order: alert->pass->alarm
> var HOME_NET 220.127.116.11/28
> var UNIVERSE 0.0.0.0/0
> var host1 18.104.22.168
> pass tcp $host1 80 -> $UNIVERSE
> 1024: (flags: SA;)
> alarm tcp $HOME_NET any -> $UNIVERSE any
> (flags: SA;
> msg:"Forbidden synAck from HOME_NET";)
> As the following extract of the alarm-logfile shows,
> this packet, which
> fits theoretically the pass-rule, is not matching
> the pass-rule but the
> final alarm-rule.
> ... 22.214.171.124.80 > 126.96.36.199.8888: S
> 2146395230:2146395230(0) ack
> 3671809919 win 32120 <mss 1460,nop,nop,sackOK> (DF)
> (For about 99% of the syn-ack responses from
> 188.8.131.52.80 the pass-rule
> matching and no alarm is triggered.)
> Is this a missconfiguration, or ???
> TIA for any hints.....
Start your snort with -o
-o Change the rule testing order to
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
More information about the Snort-users