[Snort-users] issue with 2.8.2
Jason.Haar at ...294...
Thu Jun 5 21:19:48 EDT 2008
Steven Sturges wrote:
> Hi Jason--
> Couldn't you just use a port list to eliminate the 'allowed'
> DNS queries and the pass rule? Performance would be much
> better this way.
The rules I showed were just a sample - it's affecting all sorts of things.
Here's a HTTP sample. I want to allow DMZ servers to connect to AV
websites, and alert on any other Websites
pass tcp $DMZES_NETS any -> any 80 (msg:"DMZ host to Trend";flow
[bunch of other "pass" rules for other AV sites]
alert tcp $DMZES_NETS any -> !$VALID_REMOTE_NETWORKS 80 (msg:"DMZ host
communicating to an unsupported Web server";flow:to_server,established;
content:"Host|3a|";depth:512;nocase;tag: session, 10,
...and yet we are currently getting alerts when DMZ servers call
www.trendmicro.com. BASE shows "Host : www.trendmicro.com\r\n" in the
offending packet - that should have matched the "pass" rule!
And "-o" is present, and the output when snort starts shows:
Rule application order: activation->dynamic->pass->drop->alert->log
This is snort-2.8.2 under CentOS4.6
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the Snort-users