[Snort-users] Rules Question

Roy Kidder rkidder at ...13076...
Mon Feb 28 14:07:29 EST 2005


So even using the -o flag, the preprocessors are applied first (before my
'pass' rules)? 

There are a few reasons I'd like to simply ignore traffic before anything
else is applied, including

* internal IPs are masqueraded into a range of external IPs and are
generating port scan alerts. I'd like to ignore the 'legit' traffic
(80,443,21,etc) while not ignoring the potentially bad traffic
(135,137-139,445, IRC bots on 1337).

* on my internal network, my backup server uses RPC pretty heavily, but I
don't want to ignore anything coming from or going to it.

And so on...

If I did all this using a BPF, it would get cumbersome quickly. That's why
I'm searching for an alternative.

Thanks,
Roy



> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net 
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of 
> Jeff Dell
> Sent: Monday, February 28, 2005 3:53 PM
> To: 'Roy Kidder'; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Rules Question
> 
> These rules will not stop the preprocessors, what you want to 
> do is add
> options in the portscan preprocessor to ignore from certain 
> hosts. To remove
> certain hosts all together without worrying about any of 
> these pass rules,
> just add a (Berkeley packet filter)bpf to the end of the 
> command to start
> Snort.
> 
> Example:
> Snort -d -A fast -c snort.conf not (src host 192.168.1.5 and 
> dst port 80)
> 
> 
> Jeff
> 
> > -----Original Message-----
> > From: Roy Kidder [mailto:rkidder at ...13076...] 
> > Sent: Monday, February 28, 2005 3:41 PM
> > To: 'Jeff Dell'; snort-users at lists.sourceforge.net
> > Subject: RE: [Snort-users] Rules Question
> > 
> > Even when using the -o flag, I still get alerts on many 
> > things. For example,
> > 
> > pass udp 192.168.1.33 any -> any 161
> > 
> > still generates alerts for 'SNMP request udp'
> > 
> > and neither sfscan nor a rules like:
> > 
> > pass ip  192.168.1.5/32 any -> any 80
> > pass tcp 192.168.1.5/32 any -> any 80
> > 
> > stop the '(portscan) Open Port' alerts for regular web browsing.
> > 
> > Anyone have any suggestions?
> > 
> > 
> > > -----Original Message-----
> > > From: Jeff Dell [mailto:jdell at ...1095...] 
> > > Sent: Friday, February 25, 2005 9:04 AM
> > > To: 'Roy Kidder'; snort-users at lists.sourceforge.net
> > > Subject: RE: [Snort-users] Rules Question
> > > 
> > > Check your rules order. By default it is alert -> pass -> log 
> > > -> etc...
> > > 
> > > Try adding the flag -o to your command line options when 
> > > starting snort.
> > > 
> > > Cheers,
> > > Jeff 
> > > 
> > > > -----Original Message-----
> > > > From: snort-users-admin at lists.sourceforge.net 
> > > > [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of 
> > > > Roy Kidder
> > > > Sent: Friday, February 25, 2005 8:26 AM
> > > > To: snort-users at lists.sourceforge.net
> > > > Subject: [Snort-users] Rules Question
> > > > 
> > > > I'm trying to write what I expected to be a simple set rules, 
> > > > but it's not
> > > > working for me. They look like this:
> > > > 
> > > > pass udp any any <> 10.0.0.10 53
> > > > pass udp any any <> 192.168.1.5 53
> > > > alert udp any any <> any 53 (msg: "DNS Query";)
> > > > 
> > > > What I expected was to alert on any DNS queries except those 
> > > > to 10.0.0.10 or
> > > > to 192.168.1.5. Instead, I'm seeing alerts on everything 
> > > > including those two
> > > > hosts. 
> > > > 
> > > > Any pointers on what I did wrong?
> > > > 
> > > > Thanks in advance,
> > > > Roy
> > > > 
> > > >  
> > > > Roy Kidder
> > > > Network Engineer
> > > > Safelite Glass Corp.
> > > > 
> > > > 
> > > > 
> > > > 
> > > > -------------------------------------------------------
> > > > SF email is sponsored by - The IT Product Guide
> > > > Read honest & candid reviews on hundreds of IT Products from 
> > > > real users.
> > > > Discover which products truly live up to the hype. Start 
> > > reading now.
> > > > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users at lists.sourceforge.net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > > 
> > > 
> > > 
> > 
> > 
> > 
> 
> 
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from 
> real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list