[Snort-users] PASS rule not working?

JJ Cummings cummingsj at ...11827...
Tue Aug 4 10:46:29 EDT 2009


You can also run your rules through the tool that Leon recently created to
look for just such errors / omissions called dumbpig =>
http://leonward.wordpress.com/2009/06/07/dumbpig-automated-checking-for-snort-rulesets/

JJC

On Tue, Aug 4, 2009 at 7:56 AM, Joel Esler <jesler at ...1935...> wrote:

> Is that all your pass rule says?  You need a MSG, more importantly,
> you need to have a sid. Or else Snort ignores your mistake.
>
> --
> Sent from my iPhone
>
> On Aug 4, 2009, at 5:35 AM, Loïc Etienne <loic.etienne at ...7615...> wrote:
>
> > Hello,
> >
> > We are using custom pass rules to disable alerts for some hosts/ports,
> > but still get alerts for those... We are using Snort SP beta 2. Is
> > there
> > a problem with our rules?
> >
> > Rule order is "Rule application order:
> > activation->dynamic->pass->drop->alert->log".
> >
> > Thanks in advance for your help! Details below:
> >
> > The pass rule:
> > pass tcp any 1024: <> 83.231.216.140  8000
> >
> > The alert rule:
> > alert tcp any $IRC_PORTS -> any $IRC_PORTS ( \
> >   msg:"IRC NICK command"; \
> >   flow:established; \
> >   content:"NICK"; offset:0; depth:256; \
> >
> > pcre:"/^((\x3a[^\x00\x20\r\n]+\x20+)?\w+(\x20[^\x00\r\n]*)?\r?\n)*?
> > (\x3a[^\x00\x20\r\n]+\x20+)?NICK\x20/is";
> > \
> >   classtype:policy-violation; \
> >   sid:3584011; rev:4; )
> >
> > And the unexpected alert:
> > [**] [1:3584011:4] IRC NICK command [**]
> > [Classification: Potential Corporate Privacy Violation] [Priority: 1]
> > 08/03/09-10:59:03.366483 137.xxx.xxx.xxx:2774 -> 83.231.216.140:8000
> > TCP TTL:124 TOS:0x0 ID:37448 IpLen:20 DgmLen:103 DF
> > ***AP*** Seq: 0x335AA519  Ack: 0x7AC349AF  Win: 0xFFFF  TcpLen: 20
> >
> > Cheers,
> > Loïc Etienne
> >
> > ---
> > ---
> > ---
> > ---------------------------------------------------------------------
> > Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> > 30-Day
> > trial. Simplify your report design, integration and deployment - and
> > focus on
> > what you do best, core application coding. Discover what's new with
> > Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090804/952f7e28/attachment.html>


More information about the Snort-users mailing list