[Snort-users] Snort Rules Help
acunningham at ...12091...
Fri Jul 9 09:27:29 EDT 2004
Can someone help with a problem I'm having trying to write snort rules.
I have a series of rules to either pass legitimate traffic or alert on
certain events. Finally I have a catch all rule to alert on any packet
not covered by the above. I've changed the rule order with -o so that
pass rules have the desired effect, and this seems to be working.
pass udp $SRC any <> $DEST $PORT (classtype:ignore)
alert ip any any -> any any (msg: "Unexpected unclassified traffic";
classtype: unexpected-traffic; )
These rules work fine for most of the traffic, but when I get a
fragmented UDP packet come through, the fragment causes the altert to be
I've tried adding a fragoffset:0 into the rule to only altert if it's
the first fragment, but it doesn't seem to help.
Can anyone suggest what I might be doing wrong?
Thanks in advance
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users