[Snort-users] Pass rules - no effect/not working

Ward Sladek wsladekjr at ...125...
Sun Jan 27 13:25:50 EST 2013


This is my order config in snort.conf:
config order: pass activation dynamic drop sdrop reject alert log

and log for verificaiton:

Jan 26 00:07:16 dev01 snort[27849]: Rule application order: pass->activation->dynamic->drop->sdrop->reject->alert->log




> From: jthoel at ...11827...
> Date: Sun, 27 Jan 2013 02:29:38 -0700
> Subject: Re: [Snort-users] Pass rules - no effect/not working
> To: wsladekjr at ...125...
> CC: snort-users at lists.sourceforge.net
> 
> There is a config option which controls the order how things work..
> 'config order'
> 
> What order are you running?
> 
> # cat /var/log/messages | grep snort | grep order
> Mar 27 20:28:45 my_machine snort[1659]: Rule application order: ->activation-
> dynamic->pass->drop->alert->log
> 
> If alert is before pass that could be a problem.
> 
> Check that and then we can look at some other things..
> 
> 
> 
> 
> 
> On Sat, Jan 26, 2013 at 1:53 AM, Ward Sladek <wsladekjr at ...125...> wrote:
> > I have several pass rules in which I continue to get alerts for and need
> > some help figuring out why...  Some of them are very basic rules, just
> > host/port -> host/port.
> >
> > I'm running Snort version 2.9.4 GRE (Build 40) on CentOS 6.3 and here is my
> > rule order config:
> > config order: pass activation dynamic drop sdrop reject alert log
> >
> > Sample pass rules that are not working:
> > pass tcp 10.16.135.95 947 -> 10.16.135.2 2049 (msg:"LOCAL NFS traffic due to
> > Xen Storage Repository"; classtype:pass-rule; sid:1000; rev:2;)
> > pass tcp 10.16.135.2 2049 -> 10.16.135.95 947 (msg:"LOCAL NFS traffic due to
> > Xen Storage Repository"; classtype:pass-rule; sid:1001; rev:2;)
> >
> >
> > And the alerts that should not be triggering:
> > Jan 26 02:00:09 dev01 snort[34315]: [1:1394:14] INDICATOR-SHELLCODE x86 inc
> > ecx NOOP [Classification: Executable code was detected] [Priority: 2] {TCP}
> > 10.16.135.95:947 -> 10.16.135.2:2049
> > Jan 25 23:03:43 dev01 snort[20698]: [1:2000428:10] ET POLICY ZIP file
> > download [Classification: Misc activity] [Priority: 3] {TCP}
> > 10.16.135.2:2049 -> 10.16.135.95:947
> >
> >
> > Solutions I've tried:
> >
> > 1.  Separating the pass rule into two directional rules (as seen above)
> > instead of using just one rule with bidirectional operator
> >
> > 2.  Configured the event_queue to order by priority, then made a custom
> > classtype "pass-rule" with the highest priority of "1", incrementing all
> > others +1 (hoping this would ensure my pass rules are processed first)
> >
> > 2.  Ran it through Dumbpig just to be sure... It reports two problems,
> > however they're unrelated to this:  "TCP/UDP rule with no deep packet
> > checks?" and "TCP, without flow."
> >
> >
> > Any idea what I may be doing wrong or why I'm still getting alerts?
> >
> > Thanks in advance,
> > -W
> >
> > ------------------------------------------------------------------------------
> > Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> > MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> > with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> > MVPs and experts. ON SALE this month only -- learn more at:
> > http://p.sf.net/sfu/learnnow-d2d
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort
> > news!
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130127/42ce1bbb/attachment.html>


More information about the Snort-users mailing list