[Snort-users] Rules Question
rkidder at ...13076...
Mon Feb 28 12:43:05 EST 2005
Even when using the -o flag, I still get alerts on many things. For example,
pass udp 192.168.1.33 any -> any 161
still generates alerts for 'SNMP request udp'
and neither sfscan nor a rules like:
pass ip 192.168.1.5/32 any -> any 80
pass tcp 192.168.1.5/32 any -> any 80
stop the '(portscan) Open Port' alerts for regular web browsing.
Anyone have any suggestions?
> -----Original Message-----
> From: Jeff Dell [mailto:jdell at ...1095...]
> Sent: Friday, February 25, 2005 9:04 AM
> To: 'Roy Kidder'; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Rules Question
> Check your rules order. By default it is alert -> pass -> log
> -> etc...
> Try adding the flag -o to your command line options when
> starting snort.
> > -----Original Message-----
> > From: snort-users-admin at lists.sourceforge.net
> > [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
> > Roy Kidder
> > Sent: Friday, February 25, 2005 8:26 AM
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] Rules Question
> > I'm trying to write what I expected to be a simple set rules,
> > but it's not
> > working for me. They look like this:
> > pass udp any any <> 10.0.0.10 53
> > pass udp any any <> 192.168.1.5 53
> > alert udp any any <> any 53 (msg: "DNS Query";)
> > What I expected was to alert on any DNS queries except those
> > to 10.0.0.10 or
> > to 192.168.1.5. Instead, I'm seeing alerts on everything
> > including those two
> > hosts.
> > Any pointers on what I did wrong?
> > Thanks in advance,
> > Roy
> > Roy Kidder
> > Network Engineer
> > Safelite Glass Corp.
> > -------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT Products from
> > real users.
> > Discover which products truly live up to the hype. Start
> reading now.
> > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
More information about the Snort-users