Re: Pass Rule

[Matt Kettler <mkettler () evi-inc com>]

At 03:16 PM 11/26/2002 -0600, Frank Knobbe wrote:
> I would suggest to put any pass rules in a file called pass.rules, and
> load it in your snort.conf before any other rules.

I'd agree with that for convenience/maintenance sake, but the order of 
rules in the file is not relevant to the order in which they are executed 
in this case. (and note that even between ordinary alert rules order is 
relevant, but the execution order does NOT always match the file order).

Pass rules are executed completely separately from the alert rules, and 
without the -o they will always be executed after alerts, and with it they 
will always be executed before them, no matter where they exist in the 
files relative to the alert rules they are trying to pass around.


As for the pass rule itself:

 pass udp xxx.xxx.xxx.xxx 53 -> xxx.xxx.xxx.xxx 53
 (content:"|85800001000100000000|"; content:"|c00c000c00010000003c000f|"; )

Are you sure that BOTH the source and the dest port are 53 on the packets 
you are trying to pass? Most clients get DNS responses back on ports other 
than 53, although server-server queries are generally 53 to 53.


Try this one instead, which matches the original rule better:

 pass udp xxx.xxx.xxx.xxx 53 -> xxx.xxx.xxx.xxx any
 (content:"|85800001000100000000|"; content:"|c00c000c00010000003c000f|"; )





-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T 
handheld. Power & Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users