[Snort-users] newbie question about pass and alert directive

Jason Wallace jason.r.wallace at ...11827...
Fri Feb 22 16:45:25 EST 2013


No, I think what Federico said was correct, because the first rule is
a pass rule, not an alert rule.


> 1) pass tcp $HOME_NET any -> any any (msg:"test rule 2"; *flag:A*;
> classtype:not-suspicious; sid:10000013; rev:1;)
> 2) alert tcp $HOME_NET any -> any any (msg:"BOGUS NULL TROJAN";*flags:A*;
> content:"bogus trojan"; nocase; classtype:trojan-activity; sid:10000014; rev:1;)
>
> the rule at point 2 will be ignored cause rule at point 1 tell snort to ignore
> every tcp packet with flag ACK active ?

If the response order is set to process pass rules before alert rules,
then yes, the second rule will never fire.



On Fri, Feb 22, 2013 at 12:22 PM, waldo kitty <wkitty42 at ...14940...> wrote:
> On 2/22/2013 04:27, . wrote:
>> another question:
>>
>> writing these rules:
>>
>> 1) pass tcp $HOME_NET any -> any any (msg:"test rule 2"; *flag:A*;
>> classtype:not-suspicious; sid:10000013; rev:1;)
>> 2) alert tcp $HOME_NET any -> any any (msg:"BOGUS NULL TROJAN";*flags:A*;
>> content:"bogus trojan"; nocase; classtype:trojan-activity; sid:10000014; rev:1;)
>>
>> the rule at point 2 will be ignored cause rule at point 1 tell snort to ignore
>> every tcp packet with flag ACK active ?
>
> no... the first rules doesn't tell snort to do anything other than alert based
> on the ACK flag... the second rule will fire if there is content "bogus trojan"
> and the ACK flag... the question is will such a packet as the second rule is
> looking for exist...
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_feb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list