[Snort-users] issue with 2.8.2

Jason Haar Jason.Haar at ...294...
Thu Jun 5 21:19:48 EDT 2008

Steven Sturges wrote:
> Hi Jason--
> Couldn't you just use a port list to eliminate the 'allowed'
> DNS queries and the pass rule?  Performance would be much
> better this way.
The rules I showed were just a sample - it's affecting all sorts of things.

Here's a HTTP sample. I want to allow DMZ servers to connect to AV 
websites, and  alert on any other Websites

pass tcp $DMZES_NETS any -> any 80 (msg:"DMZ host to Trend";flow
:to_server,established; content:"Host|3a|";pcre:"/Host: 
[bunch of other "pass" rules for other AV sites]
alert tcp $DMZES_NETS any -> !$VALID_REMOTE_NETWORKS 80 (msg:"DMZ host 
communicating to an unsupported Web server";flow:to_server,established; 
content:"Host|3a|";depth:512;nocase;tag: session, 10, 
packets;classtype:successful-admin;sid:1000008;rev:1;reference: url, 

...and yet we are currently getting alerts when DMZ servers call 
www.trendmicro.com. BASE shows "Host : www.trendmicro.com\r\n" in the 
offending packet - that should have matched the "pass" rule!

And "-o" is present, and the output when snort starts shows:

Rule application order: activation->dynamic->pass->drop->alert->log

This is snort-2.8.2 under CentOS4.6


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-users mailing list