Snort mailing list archives
Re: issue with 2.8.2
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Fri, 06 Jun 2008 13:19:48 +1200
Steven Sturges wrote:
Hi Jason-- Couldn't you just use a port list to eliminate the 'allowed' DNS queries and the pass rule? Performance would be much better this way.
The rules I showed were just a sample - it's affecting all sorts of things. Here's a HTTP sample. I want to allow DMZ servers to connect to AV websites, and alert on any other Websites pass tcp $DMZES_NETS any -> any 80 (msg:"DMZ host to Trend";flow :to_server,established; content:"Host|3a|";pcre:"/Host: [^\s]+(trendmicro|trend| antivirus)\.com/si";depth:512;nocase;sid:3000024;) [bunch of other "pass" rules for other AV sites] alert tcp $DMZES_NETS any -> !$VALID_REMOTE_NETWORKS 80 (msg:"DMZ host communicating to an unsupported Web server";flow:to_server,established; content:"Host|3a|";depth:512;nocase;tag: session, 10, packets;classtype:successful-admin;sid:1000008;rev:1;reference: url, /secure/cvename.php?name=1000001;) ...and yet we are currently getting alerts when DMZ servers call www.trendmicro.com. BASE shows "Host : www.trendmicro.com\r\n" in the offending packet - that should have matched the "pass" rule! And "-o" is present, and the output when snort starts shows: Rule application order: activation->dynamic->pass->drop->alert->log This is snort-2.8.2 under CentOS4.6 -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- issue with 2.8.2 Jason Haar (Jun 03)
- Re: issue with 2.8.2 Joel Esler (Jun 03)
- Re: issue with 2.8.2 Jason Haar (Jun 03)
- Re: issue with 2.8.2 Joel Esler (Jun 03)
- Re: issue with 2.8.2 Jason Haar (Jun 03)
- <Possible follow-ups>
- Re: issue with 2.8.2 Jason Haar (Jun 04)
- Re: issue with 2.8.2 Jason Haar (Jun 05)
- Message not available
- Re: issue with 2.8.2 Jason Haar (Jun 05)
- Re: issue with 2.8.2 CunningPike (Jun 09)
- Message not available
- Re: issue with 2.8.2 Joel Esler (Jun 03)