[Snort-users] Setting Up Policy-Based.rules file

Mon Nov 3 09:06:08 EST 2003

At 11:02 AM 11/3/2003, Kaplan, Andrew H. wrote:
>1. I don't want, initally, to monitor any traffic going from the 10.1.0.0
>network to any TCP/IP port on the server
>    145.143.24.45. Therefore would the following statements work?
>
>                 pass ip 10.1.0.0/24 any -> 145.143.24.45 0:65534
>                 pass tcp 10.1.0.0/24 any -> 145.143.24.45 0:65534
>                 pass udp 10.1.0.0/24 any -> 145.143.24.45 0:65534

why are you excluding port 65535? if you really mean any port, I'd suggest 
saying 'any' instead of a range.

Also, above you stated you wanted to exclude tcp/ip.. but here you've 
explicitly got udp included as well as a blanket for all IP.. so do you 
want to exclude _all_ IP, or just tcp/ip?

Also, do you only want to pass traffic flowing to that server, or traffic 
flowing in both directions?

I'd suggest this pass rule to blanket-cover everything IP flowing between 
10.1.0.* and 145.143.24.45:

                 pass ip 10.1.0.0/24 any <> 145.143.24.45 any

To do an additional pass of tcp and udp is redundant. If you only want to 
pass traffic from 10.1.0.* to the server, and not pass replies, use -> 
instead of <>.

Also be sure to pass -o parameter to snort.

>2. If I want, at a later date, to monitor particular port traffic, do I add
>the ports I want to monitor AFTER the
>     blanket range shown in item 1, or do I add them BEFORE it?

You will need to modify your pass rule to no longer be a blanket.. It 
doesn't matter which order the rules are in, if you pass the -o parameter 
to snort ALL pass rules will occur before ALL other rules.. if you don't 
pass -o to snort, then ALL alert rules will be run before any pass rules 
are run..

Thus to snort, it never matters if an alert rule comes before or after a 
pass rule in the config file, there's a precedence behavior for the rule 
type where one will always occur before the other, no matter what order 
they are in.