[Snort-users] Setting Up Policy-Based.rules file
mkettler at ...4108...
Mon Nov 3 09:06:08 EST 2003
At 11:02 AM 11/3/2003, Kaplan, Andrew H. wrote:
>1. I don't want, initally, to monitor any traffic going from the 10.1.0.0
>network to any TCP/IP port on the server
> 220.127.116.11. Therefore would the following statements work?
> pass ip 10.1.0.0/24 any -> 18.104.22.168 0:65534
> pass tcp 10.1.0.0/24 any -> 22.214.171.124 0:65534
> pass udp 10.1.0.0/24 any -> 126.96.36.199 0:65534
why are you excluding port 65535? if you really mean any port, I'd suggest
saying 'any' instead of a range.
Also, above you stated you wanted to exclude tcp/ip.. but here you've
explicitly got udp included as well as a blanket for all IP.. so do you
want to exclude _all_ IP, or just tcp/ip?
Also, do you only want to pass traffic flowing to that server, or traffic
flowing in both directions?
I'd suggest this pass rule to blanket-cover everything IP flowing between
10.1.0.* and 188.8.131.52:
pass ip 10.1.0.0/24 any <> 184.108.40.206 any
To do an additional pass of tcp and udp is redundant. If you only want to
pass traffic from 10.1.0.* to the server, and not pass replies, use ->
instead of <>.
Also be sure to pass -o parameter to snort.
>2. If I want, at a later date, to monitor particular port traffic, do I add
>the ports I want to monitor AFTER the
> blanket range shown in item 1, or do I add them BEFORE it?
You will need to modify your pass rule to no longer be a blanket.. It
doesn't matter which order the rules are in, if you pass the -o parameter
to snort ALL pass rules will occur before ALL other rules.. if you don't
pass -o to snort, then ALL alert rules will be run before any pass rules
Thus to snort, it never matters if an alert rule comes before or after a
pass rule in the config file, there's a precedence behavior for the rule
type where one will always occur before the other, no matter what order
they are in.
More information about the Snort-users