[Snort-users] issue with 2.8.2

Joel Esler joel.esler at ...3027...
Tue Jun 3 21:02:01 EDT 2008


Did you move pass rules to the front of evaluation, either through a  
config statement, or through -o at the command line?

Joel

On Jun 3, 2008, at 8:46 PM, Jason Haar wrote:

> Hi there
>
> I've just upgraded from 2.8.0.1 to 2.8.2 and an existing rule started
> triggering that isn't meant to.
>
> We have some DMZes which aren't meant to make unexpected outbound
> connections, so we use "pass" rules to ignore/pass traffic that is
> expected, and then trigger on everything else. Works well - until  
> today.
>
> pass tcp $DMZES_NETS any -> any 53 (msg:"DMZ host doing DNS zone
> transfer or large DNS lookup"; sid:3000023;rev:2;)
> alert tcp $DMZES_NETS any -> any 26:79 (msg:"DMZ host attempting
> outgoing connection to port range 26-79";flags:S;tag: session, 10,
> packets;classtype:successful-admin;sid:1000007;rev:1;reference: url,
> /secure/cvename.php?name=1000007;)
>
> The DMZES_NETS contain hosts that do full Internet DNS lookups - which
> means mostly UDP/DNS with the occasional TCP/DNS query.
>
> What we are seeing today (since upgrading to 2.8.2) is alerts on
> TCP-based DNS lookups. The alerts generated ("DMZ host attempting
> outgoing connection to port range 26-79") have the SYN set, and are  
> TCP
> port 53 - as above. And yet the previous 30000023 didn't trigger and
> pass it...?
>
> This is on CentOS4.6 systems - yes - it's triggering on multiple DMZes
> and different snort servers.
>
> Is this a bug, or has some logic changed that makes the above rule  
> combo
> incorrect now? The DNS preprocessor is enabled if that matters...
>
> Thanks!
>
> -- 
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
Joel Esler
  joel.esler at ...3027...http://blog.joelesler.net
[m]







More information about the Snort-users mailing list