[Snort-users] Part of traffic matching wrong rule

James Nonya slave_tothe_box at ...131...
Tue Jun 24 11:46:26 EDT 2003


--- Juergen Anthamatten <juergen.anthamatten at ...158...>
wrote:
> I have the strange behaviour in snort that part of
> the traffic is matching
> the wrong rule.
> 
> The details:
> I'd like to alarm on tcp syn-ack packets sent back
> by a server violating
> our policy. Therefore I "pass" all allowed syn-ack
> traffic and then I
> "alarm" on all other syn-ack packets. 
> This works almost fine, except for about 1% of the
> traffic, matching
> theoretically the pass rule, this rule is not
> hitting and the alarm rule
> is triggering instead.
> 
> Relevant configuration info:
> Snort Version: 2.0.0
> Rule application order: alert->pass->alarm
> 
> var HOME_NET    64.232.48.224/28
> var UNIVERSE    0.0.0.0/0
> var host1       64.232.48.230
> 
> pass    tcp     $host1      80  ->  $UNIVERSE  
> 1024:   (flags: SA;)
> alarm   tcp     $HOME_NET   any ->  $UNIVERSE   any 
>    (flags: SA;
> msg:"Forbidden synAck from HOME_NET";)
> 
> 
> As the following extract of the alarm-logfile shows,
> this packet, which
> fits theoretically the pass-rule, is not matching
> the pass-rule but the
> final alarm-rule.
> "
> ... 64.232.48.230.80 > 88.34.112.22.8888: S
> 2146395230:2146395230(0) ack
> 3671809919 win 32120 <mss 1460,nop,nop,sackOK> (DF)
> "
> 
> (For about 99% of the syn-ack responses from
> 64.232.48.230.80 the pass-rule
> is
> matching and no alarm is triggered.)
> 
> Is this a missconfiguration, or ??? 
> TIA for any hints.....
> 
> ./juergen
> 

Juergen,

Start your snort with -o
-o         Change the rule testing order to
Pass|Alert|Log

James



__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com




More information about the Snort-users mailing list