[Snort-users] newbie question about pass and alert directive

waldo kitty wkitty42 at ...14940...
Sat Feb 23 10:27:31 EST 2013


On 2/22/2013 16:45, Jason Wallace wrote:
> No, I think what Federico said was correct, because the first rule is
> a pass rule, not an alert rule.

erk! i didn't even catch that... my bad :(

i only ever work with alert rules because we use external processes to handle ip 
blocking and such based on the alerts from snort...

>> 1) pass tcp $HOME_NET any ->  any any (msg:"test rule 2"; *flag:A*;
>> classtype:not-suspicious; sid:10000013; rev:1;)
>> 2) alert tcp $HOME_NET any ->  any any (msg:"BOGUS NULL TROJAN";*flags:A*;
>> content:"bogus trojan"; nocase; classtype:trojan-activity; sid:10000014; rev:1;)
>>
>> the rule at point 2 will be ignored cause rule at point 1 tell snort to ignore
>> every tcp packet with flag ACK active ?
>
> If the response order is set to process pass rules before alert rules,
> then yes, the second rule will never fire.

that rule processing order something else we never mess with, too...


> On Fri, Feb 22, 2013 at 12:22 PM, waldo kitty<wkitty42 at ...14940...>  wrote:
>> On 2/22/2013 04:27, . wrote:
>>> another question:
>>>
>>> writing these rules:
>>>
>>> 1) pass tcp $HOME_NET any ->  any any (msg:"test rule 2"; *flag:A*;
>>> classtype:not-suspicious; sid:10000013; rev:1;)
>>> 2) alert tcp $HOME_NET any ->  any any (msg:"BOGUS NULL TROJAN";*flags:A*;
>>> content:"bogus trojan"; nocase; classtype:trojan-activity; sid:10000014; rev:1;)
>>>
>>> the rule at point 2 will be ignored cause rule at point 1 tell snort to ignore
>>> every tcp packet with flag ACK active ?
>>
>> no... the first rules doesn't tell snort to do anything other than alert based
>> on the ACK flag... the second rule will fire if there is content "bogus trojan"
>> and the ACK flag... the question is will such a packet as the second rule is
>> looking for exist...





More information about the Snort-users mailing list