Snort mailing list archives
Re: PASS rule not working?
From: JJ Cummings <cummingsj () gmail com>
Date: Tue, 4 Aug 2009 08:46:29 -0600
You can also run your rules through the tool that Leon recently created to look for just such errors / omissions called dumbpig => http://leonward.wordpress.com/2009/06/07/dumbpig-automated-checking-for-snort-rulesets/ JJC On Tue, Aug 4, 2009 at 7:56 AM, Joel Esler <jesler () sourcefire com> wrote:
Is that all your pass rule says? You need a MSG, more importantly, you need to have a sid. Or else Snort ignores your mistake. -- Sent from my iPhone On Aug 4, 2009, at 5:35 AM, Loïc Etienne <loic.etienne () cern ch> wrote:Hello, We are using custom pass rules to disable alerts for some hosts/ports, but still get alerts for those... We are using Snort SP beta 2. Is there a problem with our rules? Rule order is "Rule application order: activation->dynamic->pass->drop->alert->log". Thanks in advance for your help! Details below: The pass rule: pass tcp any 1024: <> 83.231.216.140 8000 The alert rule: alert tcp any $IRC_PORTS -> any $IRC_PORTS ( \ msg:"IRC NICK command"; \ flow:established; \ content:"NICK"; offset:0; depth:256; \ pcre:"/^((\x3a[^\x00\x20\r\n]+\x20+)?\w+(\x20[^\x00\r\n]*)?\r?\n)*? (\x3a[^\x00\x20\r\n]+\x20+)?NICK\x20/is"; \ classtype:policy-violation; \ sid:3584011; rev:4; ) And the unexpected alert: [**] [1:3584011:4] IRC NICK command [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] 08/03/09-10:59:03.366483 137.xxx.xxx.xxx:2774 -> 83.231.216.140:8000 TCP TTL:124 TOS:0x0 ID:37448 IpLen:20 DgmLen:103 DF ***AP*** Seq: 0x335AA519 Ack: 0x7AC349AF Win: 0xFFFF TcpLen: 20 Cheers, Loïc Etienne --- --- --- --------------------------------------------------------------------- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- PASS rule not working? Loïc Etienne (Aug 04)
- Re: PASS rule not working? Joel Esler (Aug 04)
- Re: PASS rule not working? JJ Cummings (Aug 04)
- Re: PASS rule not working? Joel Esler (Aug 04)