[Snort-users] Setting Up Policy-Based.rules file

Kaplan, Andrew H. AHKAPLAN at ...10063...
Mon Nov 3 09:37:15 EST 2003

Hi Matt --

Thanks for your reply. 

1. I do want to exclude the entire tcp/ip range, including port 65535, in both
   Following your advice, I reconfigured the policy file so it now reads:

	pass ip any <> any

2. I didn't realize that including lines for tcp and udp after ip would be
redundant. My 
   understanding was that each protocol had to be treated separately. Since, as
you said,
   IP is a blanket covering TCP, UDP, as well as IP, I commented out the pass
lines that
   reference the two Layer Four protocols.

3. If I modify the rules file to no longer be a blanket. Can the coverage be
split into
   several lines that do not include the port to be monitored? For example, if I
want to
   monitor port number 4589, could the rules file have the following lines:
	pass ip any <> 0:4588
	pass ip any <> 4590:65535


-----Original Message-----
From: Matt Kettler [mailto:mkettler at ...4108...]
Sent: Monday, November 03, 2003 12:04 PM
To: Kaplan, Andrew H.; 'snort-users at lists.sourceforge.net'
Cc: Wolfgang, John A.
Subject: Re: [Snort-users] Setting Up Policy-Based.rules file

At 11:02 AM 11/3/2003, Kaplan, Andrew H. wrote:
>1. I don't want, initally, to monitor any traffic going from the
>network to any TCP/IP port on the server
> Therefore would the following statements work?
>                 pass ip any -> 0:65534
>                 pass tcp any -> 0:65534
>                 pass udp any -> 0:65534

why are you excluding port 65535? if you really mean any port, I'd suggest 
saying 'any' instead of a range.

Also, above you stated you wanted to exclude tcp/ip.. but here you've 
explicitly got udp included as well as a blanket for all IP.. so do you 
want to exclude _all_ IP, or just tcp/ip?

Also, do you only want to pass traffic flowing to that server, or traffic 
flowing in both directions?

I'd suggest this pass rule to blanket-cover everything IP flowing between 
10.1.0.* and

                 pass ip any <> any

To do an additional pass of tcp and udp is redundant. If you only want to 
pass traffic from 10.1.0.* to the server, and not pass replies, use -> 
instead of <>.

Also be sure to pass -o parameter to snort.

>2. If I want, at a later date, to monitor particular port traffic, do I add
>the ports I want to monitor AFTER the
>     blanket range shown in item 1, or do I add them BEFORE it?

You will need to modify your pass rule to no longer be a blanket.. It 
doesn't matter which order the rules are in, if you pass the -o parameter 
to snort ALL pass rules will occur before ALL other rules.. if you don't 
pass -o to snort, then ALL alert rules will be run before any pass rules 
are run..

Thus to snort, it never matters if an alert rule comes before or after a 
pass rule in the config file, there's a precedence behavior for the rule 
type where one will always occur before the other, no matter what order 
they are in.

More information about the Snort-users mailing list