Snort mailing list archives
[no subject]
From: Juergen Anthamatten <juergen.anthamatten () gmx ch>
Date: Thu, 19 Jun 2003 09:15:20 -0700
,snort-users () lists sourceforge net MIME-Version: 1.0 X-Priority: 3 (Normal) X-Authenticated-Sender: #0004876234 () gmx net X-Authenticated-IP: [212.90.202.121] Message-ID: <533.1055943666 () www6 gmx net> X-Mailer: WWW-Mail 1.6 (Global Message Exchange) X-Flags: 0001 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Subject: [Snort-users] Part of traffic matching wrong rule Sender: snort-users-admin () lists sourceforge net Errors-To: snort-users-admin () lists sourceforge net X-BeenThere: snort-users () lists sourceforge net X-Mailman-Version: 2.0.9-sf.net Precedence: bulk List-Help: <mailto:snort-users-request () lists sourceforge net?subject=help> List-Post: <mailto:snort-users () lists sourceforge net> List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/snort-users>, <mailto:snort-users-request () lists sourceforge net?subject=subscribe> List-Id: Snort users talk about... Snort! <snort-users.lists.sourceforge.net> List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/snort-users>, <mailto:snort-users-request () lists sourceforge net?subject=unsubscribe> List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum=snort-users> X-Original-Date: Wed, 18 Jun 2003 15:41:06 +0200 (MEST) Date: Wed, 18 Jun 2003 15:41:06 +0200 (MEST) I'd like to alarm on tcp syn-ack packets sent back by a server which are violating our policy. Therefore I "pass" all allowed syn-ack traffic and then "alarm" on all other syn-ack packets. This works almost fine. But for about 1% of the traffic, matching theoretically the pass rule, this rule is not hitting and the alarm rule is triggering instead. Relevant configuration info: Snort Version: 2.0.0 Rule application order: alert->pass->alarm var HOME_NET 64.232.48.224/28 var UNIVERSE 0.0.0.0/0 var host1 64.232.48.230 pass tcp $host1 80 -> $UNIVERSE 1024: (flags: SA;) alarm tcp $HOME_NET any -> $UNIVERSE any (flags: SA; msg:"Forbidden synAck from HOME_NET";) For about 99% of the syn-ack responses from 64.232.48.230.80 the rule is matching as expected and no alarm is triggered. But, as the following extract of the alarm-logfile shows, some packets fitting theoretically the pass-rule, are not matching the pass-rule but the final alarm-rule. " ... 64.232.48.230.80 > 88.34.112.22.8888: S 2146395230:2146395230(0) ack 3671809919 win 32120 <mss 1460,nop,nop,sackOK> (DF) " Is this a missconfiguration, bug or feature?;-)? TIA for any hints..... Cheers, juergen -- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage! ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- [no subject] Juergen Anthamatten (Jun 19)