[Snort-users] PASS rule not working?

Joel Esler jesler at ...1935...
Tue Aug 4 09:56:37 EDT 2009


Is that all your pass rule says?  You need a MSG, more importantly,  
you need to have a sid. Or else Snort ignores your mistake.

--
Sent from my iPhone

On Aug 4, 2009, at 5:35 AM, Loïc Etienne <loic.etienne at ...7615...> wrote:

> Hello,
>
> We are using custom pass rules to disable alerts for some hosts/ports,
> but still get alerts for those... We are using Snort SP beta 2. Is  
> there
> a problem with our rules?
>
> Rule order is "Rule application order:
> activation->dynamic->pass->drop->alert->log".
>
> Thanks in advance for your help! Details below:
>
> The pass rule:
> pass tcp any 1024: <> 83.231.216.140  8000
>
> The alert rule:
> alert tcp any $IRC_PORTS -> any $IRC_PORTS ( \
>   msg:"IRC NICK command"; \
>   flow:established; \
>   content:"NICK"; offset:0; depth:256; \
>
> pcre:"/^((\x3a[^\x00\x20\r\n]+\x20+)?\w+(\x20[^\x00\r\n]*)?\r?\n)*? 
> (\x3a[^\x00\x20\r\n]+\x20+)?NICK\x20/is";
> \
>   classtype:policy-violation; \
>   sid:3584011; rev:4; )
>
> And the unexpected alert:
> [**] [1:3584011:4] IRC NICK command [**]
> [Classification: Potential Corporate Privacy Violation] [Priority: 1]
> 08/03/09-10:59:03.366483 137.xxx.xxx.xxx:2774 -> 83.231.216.140:8000
> TCP TTL:124 TOS:0x0 ID:37448 IpLen:20 DgmLen:103 DF
> ***AP*** Seq: 0x335AA519  Ack: 0x7AC349AF  Win: 0xFFFF  TcpLen: 20
>
> Cheers,
> Loïc Etienne
>
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008  
> 30-Day
> trial. Simplify your report design, integration and deployment - and  
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list