[Snort-users] Snort Rules Help

Esler, Joel - Contractor joel.esler at ...9426...
Fri Jul 9 11:33:07 EDT 2004


is it coming through on one of the preprocessors?  What alert is it
generating?
 
J

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
Cunningham, Andy
Sent: Friday, July 09, 2004 12:26 PM
To: Snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort Rules Help


Hi there. 
 
Can someone help with a problem I'm having trying to write snort rules.

 
I have a series of rules to either pass legitimate traffic or alert on
certain events.  Finally I have a catch all rule to alert on any packet
not covered by the above.  I've changed the rule order with -o so that
pass rules have the desired effect, and this seems to be working.
 
pass udp $SRC any <> $DEST $PORT (classtype:ignore)
alert ip any any -> any any (msg: "Unexpected unclassified traffic";
classtype: unexpected-traffic; )

 
 
These rules work fine for most of the traffic, but when I get a
fragmented UDP packet come through, the fragment causes the altert to be
generated.  
 
I've tried adding a fragoffset:0 into the rule to only altert if it's
the first fragment, but it doesn't seem to help. 
 
Can anyone suggest what I might be doing wrong?
 
Thanks in advance
 
 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040709/c67cae8a/attachment.html>


More information about the Snort-users mailing list