[Snort-users] Pass rules - no effect/not working

Jeremy Hoel jthoel at ...11827...
Sun Jan 27 04:29:38 EST 2013


There is a config option which controls the order how things work..
'config order'

What order are you running?

# cat /var/log/messages | grep snort | grep order
Mar 27 20:28:45 my_machine snort[1659]: Rule application order: ->activation-
dynamic->pass->drop->alert->log

If alert is before pass that could be a problem.

Check that and then we can look at some other things..





On Sat, Jan 26, 2013 at 1:53 AM, Ward Sladek <wsladekjr at ...125...> wrote:
> I have several pass rules in which I continue to get alerts for and need
> some help figuring out why...  Some of them are very basic rules, just
> host/port -> host/port.
>
> I'm running Snort version 2.9.4 GRE (Build 40) on CentOS 6.3 and here is my
> rule order config:
> config order: pass activation dynamic drop sdrop reject alert log
>
> Sample pass rules that are not working:
> pass tcp 10.16.135.95 947 -> 10.16.135.2 2049 (msg:"LOCAL NFS traffic due to
> Xen Storage Repository"; classtype:pass-rule; sid:1000; rev:2;)
> pass tcp 10.16.135.2 2049 -> 10.16.135.95 947 (msg:"LOCAL NFS traffic due to
> Xen Storage Repository"; classtype:pass-rule; sid:1001; rev:2;)
>
>
> And the alerts that should not be triggering:
> Jan 26 02:00:09 dev01 snort[34315]: [1:1394:14] INDICATOR-SHELLCODE x86 inc
> ecx NOOP [Classification: Executable code was detected] [Priority: 2] {TCP}
> 10.16.135.95:947 -> 10.16.135.2:2049
> Jan 25 23:03:43 dev01 snort[20698]: [1:2000428:10] ET POLICY ZIP file
> download [Classification: Misc activity] [Priority: 3] {TCP}
> 10.16.135.2:2049 -> 10.16.135.95:947
>
>
> Solutions I've tried:
>
> 1.  Separating the pass rule into two directional rules (as seen above)
> instead of using just one rule with bidirectional operator
>
> 2.  Configured the event_queue to order by priority, then made a custom
> classtype "pass-rule" with the highest priority of "1", incrementing all
> others +1 (hoping this would ensure my pass rules are processed first)
>
> 2.  Ran it through Dumbpig just to be sure... It reports two problems,
> however they're unrelated to this:  "TCP/UDP rule with no deep packet
> checks?" and "TCP, without flow."
>
>
> Any idea what I may be doing wrong or why I'm still getting alerts?
>
> Thanks in advance,
> -W
>
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. ON SALE this month only -- learn more at:
> http://p.sf.net/sfu/learnnow-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!




More information about the Snort-users mailing list