[Snort-users] Pass rules - no effect/not working

Ward Sladek wsladekjr at ...125...
Sat Jan 26 03:53:50 EST 2013

I have several pass rules in which I continue to get alerts for and need some help figuring out why...  Some of them are very basic rules, just host/port -> host/port.

I'm running Snort version 2.9.4 GRE (Build 40) on CentOS 6.3 and here is my rule order config:
config order: pass activation dynamic drop sdrop reject alert log

Sample pass rules that are not working:
pass tcp 947 -> 2049 (msg:"LOCAL NFS traffic due to Xen Storage Repository"; classtype:pass-rule; sid:1000; rev:2;)
pass tcp 2049 -> 947 (msg:"LOCAL NFS traffic due to Xen Storage Repository"; classtype:pass-rule; sid:1001; rev:2;)

And the alerts that should not be triggering:
Jan 26 02:00:09 dev01 snort[34315]: [1:1394:14] INDICATOR-SHELLCODE x86 inc ecx NOOP [Classification: Executable code was detected] [Priority: 2] {TCP} ->
Jan 25 23:03:43 dev01 snort[20698]: [1:2000428:10] ET POLICY ZIP file download [Classification: Misc activity] [Priority: 3] {TCP} ->

Solutions I've tried:

1.  Separating the pass rule into two directional rules (as seen above) instead of using just one rule with bidirectional operator

2.  Configured the event_queue to order by priority, then made a custom classtype "pass-rule" with the highest priority of "1", incrementing all others +1 (hoping this would ensure my pass rules are processed first)

2.  Ran it through Dumbpig just to be sure... It reports two problems, however they're unrelated to this:  "TCP/UDP rule with no deep packet checks?" and "TCP, without flow."

Any idea what I may be doing wrong or why I'm still getting alerts?

Thanks in advance,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130126/aa7edc08/attachment.html>

More information about the Snort-users mailing list