[Snort-users] issue with 2.8.2

Jason Haar Jason.Haar at ...294...
Thu Jun 5 21:19:48 EDT 2008


Steven Sturges wrote:
> Hi Jason--
>
> Couldn't you just use a port list to eliminate the 'allowed'
> DNS queries and the pass rule?  Performance would be much
> better this way.
The rules I showed were just a sample - it's affecting all sorts of things.

Here's a HTTP sample. I want to allow DMZ servers to connect to AV 
websites, and  alert on any other Websites

pass tcp $DMZES_NETS any -> any 80 (msg:"DMZ host to Trend";flow
:to_server,established; content:"Host|3a|";pcre:"/Host: 
[^\s]+(trendmicro|trend|
antivirus)\.com/si";depth:512;nocase;sid:3000024;)
[bunch of other "pass" rules for other AV sites]
alert tcp $DMZES_NETS any -> !$VALID_REMOTE_NETWORKS 80 (msg:"DMZ host 
communicating to an unsupported Web server";flow:to_server,established; 
content:"Host|3a|";depth:512;nocase;tag: session, 10, 
packets;classtype:successful-admin;sid:1000008;rev:1;reference: url, 
/secure/cvename.php?name=1000001;)


...and yet we are currently getting alerts when DMZ servers call 
www.trendmicro.com. BASE shows "Host : www.trendmicro.com\r\n" in the 
offending packet - that should have matched the "pass" rule!

And "-o" is present, and the output when snort starts shows:

Rule application order: activation->dynamic->pass->drop->alert->log

This is snort-2.8.2 under CentOS4.6


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1





More information about the Snort-users mailing list