Snort mailing list archives

Previous By Date Next
Previous By Thread Next

[no subject]

From: Juergen Anthamatten <juergen.anthamatten () gmx ch>
Date: Thu, 19 Jun 2003 09:15:20 -0700
,snort-users () lists sourceforge net
MIME-Version: 1.0
X-Priority: 3 (Normal)
X-Authenticated-Sender: #0004876234 () gmx net
X-Authenticated-IP: [212.90.202.121]
Message-ID: <533.1055943666 () www6 gmx net>
X-Mailer: WWW-Mail 1.6 (Global Message Exchange)
X-Flags: 0001
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Subject: [Snort-users] Part of traffic matching wrong rule
Sender: snort-users-admin () lists sourceforge net
Errors-To: snort-users-admin () lists sourceforge net
X-BeenThere: snort-users () lists sourceforge net
X-Mailman-Version: 2.0.9-sf.net
Precedence: bulk
List-Help: <mailto:snort-users-request () lists sourceforge net?subject=help>
List-Post: <mailto:snort-users () lists sourceforge net>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/snort-users>,
        <mailto:snort-users-request () lists sourceforge net?subject=subscribe>
List-Id: Snort users talk about... Snort! <snort-users.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/snort-users>,
        <mailto:snort-users-request () lists sourceforge net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum=snort-users>
X-Original-Date: Wed, 18 Jun 2003 15:41:06 +0200 (MEST)
Date: Wed, 18 Jun 2003 15:41:06 +0200 (MEST)

I'd like to alarm on tcp syn-ack packets sent back by a server which are
violating our policy. 
Therefore I "pass" all allowed syn-ack traffic and then "alarm" on all other
syn-ack packets. 
This works almost fine. But for about 1% of the traffic, matching
theoretically the pass rule, this rule is not hitting and the alarm rule is triggering
instead.

Relevant configuration info:
Snort Version: 2.0.0
Rule application order: alert->pass->alarm

var HOME_NET    64.232.48.224/28
var UNIVERSE    0.0.0.0/0
var host1       64.232.48.230

pass    tcp     $host1      80  ->  $UNIVERSE   1024:   (flags: SA;)
alarm   tcp     $HOME_NET   any ->  $UNIVERSE   any     (flags: SA;
msg:"Forbidden synAck from HOME_NET";)

For about 99% of the syn-ack responses from 64.232.48.230.80 the rule is
matching as expected and no alarm is triggered.
But, as the following extract of the alarm-logfile shows, some packets
fitting theoretically the pass-rule, are not matching the pass-rule but the final
alarm-rule.
"
... 64.232.48.230.80 > 88.34.112.22.8888: S 2146395230:2146395230(0) ack
3671809919 win 32120 <mss 1460,nop,nop,sackOK> (DF)
"

Is this a missconfiguration, bug or feature?;-)? 
TIA for any hints.....

Cheers,
  juergen

-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!



-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: