[Snort-users] PASS rule not working?

Loïc Etienne loic.etienne at ...7615...
Tue Aug 4 05:35:31 EDT 2009


Hello,

We are using custom pass rules to disable alerts for some hosts/ports, 
but still get alerts for those... We are using Snort SP beta 2. Is there 
a problem with our rules?

Rule order is "Rule application order: 
activation->dynamic->pass->drop->alert->log".

Thanks in advance for your help! Details below:

The pass rule:
pass tcp any 1024: <> 83.231.216.140  8000

The alert rule:
alert tcp any $IRC_PORTS -> any $IRC_PORTS ( \
   msg:"IRC NICK command"; \
   flow:established; \
   content:"NICK"; offset:0; depth:256; \
   
pcre:"/^((\x3a[^\x00\x20\r\n]+\x20+)?\w+(\x20[^\x00\r\n]*)?\r?\n)*?(\x3a[^\x00\x20\r\n]+\x20+)?NICK\x20/is"; 
\
   classtype:policy-violation; \
   sid:3584011; rev:4; )

And the unexpected alert:
[**] [1:3584011:4] IRC NICK command [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1]
08/03/09-10:59:03.366483 137.xxx.xxx.xxx:2774 -> 83.231.216.140:8000
TCP TTL:124 TOS:0x0 ID:37448 IpLen:20 DgmLen:103 DF
***AP*** Seq: 0x335AA519  Ack: 0x7AC349AF  Win: 0xFFFF  TcpLen: 20

Cheers,
Loïc Etienne




More information about the Snort-users mailing list