[Snort-users] PASS rule not working?

Loïc Etienne loic.etienne at ...7615...
Tue Aug 4 05:35:31 EDT 2009


We are using custom pass rules to disable alerts for some hosts/ports, 
but still get alerts for those... We are using Snort SP beta 2. Is there 
a problem with our rules?

Rule order is "Rule application order: 

Thanks in advance for your help! Details below:

The pass rule:
pass tcp any 1024: <>  8000

The alert rule:
alert tcp any $IRC_PORTS -> any $IRC_PORTS ( \
   msg:"IRC NICK command"; \
   flow:established; \
   content:"NICK"; offset:0; depth:256; \
   classtype:policy-violation; \
   sid:3584011; rev:4; )

And the unexpected alert:
[**] [1:3584011:4] IRC NICK command [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1]
08/03/09-10:59:03.366483 137.xxx.xxx.xxx:2774 ->
TCP TTL:124 TOS:0x0 ID:37448 IpLen:20 DgmLen:103 DF
***AP*** Seq: 0x335AA519  Ack: 0x7AC349AF  Win: 0xFFFF  TcpLen: 20

Loïc Etienne

More information about the Snort-users mailing list