[Snort-users] Rules Question

Roy Kidder rkidder at ...13076...
Mon Feb 28 12:43:05 EST 2005


Even when using the -o flag, I still get alerts on many things. For example,

pass udp 192.168.1.33 any -> any 161

still generates alerts for 'SNMP request udp'

and neither sfscan nor a rules like:

pass ip  192.168.1.5/32 any -> any 80
pass tcp 192.168.1.5/32 any -> any 80

stop the '(portscan) Open Port' alerts for regular web browsing.

Anyone have any suggestions?


> -----Original Message-----
> From: Jeff Dell [mailto:jdell at ...1095...] 
> Sent: Friday, February 25, 2005 9:04 AM
> To: 'Roy Kidder'; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Rules Question
> 
> Check your rules order. By default it is alert -> pass -> log 
> -> etc...
> 
> Try adding the flag -o to your command line options when 
> starting snort.
> 
> Cheers,
> Jeff 
> 
> > -----Original Message-----
> > From: snort-users-admin at lists.sourceforge.net 
> > [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of 
> > Roy Kidder
> > Sent: Friday, February 25, 2005 8:26 AM
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] Rules Question
> > 
> > I'm trying to write what I expected to be a simple set rules, 
> > but it's not
> > working for me. They look like this:
> > 
> > pass udp any any <> 10.0.0.10 53
> > pass udp any any <> 192.168.1.5 53
> > alert udp any any <> any 53 (msg: "DNS Query";)
> > 
> > What I expected was to alert on any DNS queries except those 
> > to 10.0.0.10 or
> > to 192.168.1.5. Instead, I'm seeing alerts on everything 
> > including those two
> > hosts. 
> > 
> > Any pointers on what I did wrong?
> > 
> > Thanks in advance,
> > Roy
> > 
> >  
> > Roy Kidder
> > Network Engineer
> > Safelite Glass Corp.
> > 
> > 
> > 
> > 
> > -------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT Products from 
> > real users.
> > Discover which products truly live up to the hype. Start 
> reading now.
> > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> 
> 






More information about the Snort-users mailing list