Rules: reliably ignoring a host

[Chris Adams <chris () improbable org>]

We have a busy NFS server which generates a great deal of traffic to 
most of our machines, including the host running snort. I added it to 
the portscan ignore list, which worked fine. I want to ignore all NFS 
traffic from this system for everything else, particularly since it 
triggers things like the x86 NOP alerts (all those x86 binaries being 
served...).

Here's the command-line I'm using with snort 1.8p1:
snort -t /var/log/snort -l . -b -c config/snort.conf -o -A fast -m 037 -y

Here are the pass rules:
pass udp any any -> server 2409
pass udp server 2409 -> any any

I've also tested with any instead of the NFS port (I'd like to watch for 
other UDP activity). Unfortunately, I'm still getting thousands of 
alerts like these:

08/05/01-20:02:58.497460 [**] [1:648:2] SHELLCODE x86 NOOP [**] 
[Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 
NFS_SERVER -> NFS_CLIENT

8/05/01-22:04:52.572829  [**] [1:651:2] SHELLCODE x86 stealth NOOP [**] 
[Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 
NFS_SERVER -> NFS_CLIENT

I've changed my config to do something I should have done earlier 
($HOME_NET = network/24; $EXTERNAL_NET = !$HOME_NET) which looks like it 
would solve this but I was wondering if anyone could shed some light on 
*why* this happened.

I was under the impression that since the -o flag causes all pass rules 
to be applied before any alert rules the two pass rules would thus 
remove any UDP traffic to or from that server. Obviously, this wasn't 
happening and I haven't figured out why, despite some quality time with 
the manuals and google. Can anyone shed some light on this?

Chris

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users