Snort mailing list archives
non TCP/UDP/ICMP pass rules not working?
From: DTakemori () thdfsg com
Date: Fri, 28 Jan 2011 16:11:51 -1000
Hi, I'm trying to configure snort to alert on "unknown" IPSEC traffic on a network, I have the following setup: ]# snort --version
,,_ -*> Snort! <*- o" )~ Version 2.9.0.3 (Build 98) '''' By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
Copyright (C) 1998-2010 Sourcefire, Inc., et al. Using libpcap version 1.1.1 Using PCRE version: 6.6 06-Feb-2006 Using ZLIB version: 1.2.3
In snort.conf : config order: pass activation dynamic drop sdrop reject alert log output alert_csv: alert.csv In local.rules: pass ip XXX.XXX.XXX.100 any <> XXX.XXX.XXX.101 any (ip_proto:50; sid:1000000; rev:1;) pass ip XXX.XXX.XXX.100 any -> XXX.XXX.XXX.101 any (ip_proto:50; sid:1000001; rev:1;) pass ip XXX.XXX.XXX.101 any -> XXX.XXX.XXX.100 any (ip_proto:50; sid:1000002; rev:1;) pass ip [XXX.XXX.XXX.100,XXX.XXX.XXX.101] any -> XXX.XXX.XXX.100 any (ip_proto:50; sid:1000003; rev:1;) pass ip XXX.XXX.XXX.100 any -> [XXX.XXX.XXX.100,XXX.XXX.XXX.101] any (ip_proto:50; sid:1000004; rev:1;) pass ip [XXX.XXX.XXX.100,XXX.XXX.XXX.101] any <> [XXX.XXX.XXX.100,XXX.XXX.XXX.101] any (ip_proto:50; sid:1000005; rev:1;) pass ip XXX.XXX.XXX.100 any <> any any (ip_proto:50; sid:1000006; rev:1;) pass ip XXX.XXX.XXX.101 any <> any any (ip_proto:50; sid:1000007; rev:1;) alert ip any any -> any any (msg:"Unknown IP protocol 50 traffic"; ip_proto:50; classtype:non-standard-protocol; sid:2000000; rev:1;) I know the rules are highly redundant, but I've tried them separately and in various combinations to no avail. I still get alerts like this: 01/28-15:53:43.759947 ,1,2000000,1,"Unknown IP protocol 50 traffic",,XXX.XXX.XXX.100,,XXX.XXX.XXX.101,, etc etc ... Am I misunderstanding how the pass rules are supposed to work? Is there some precedence other than the config order: that's taking place? Note that I'm having similar problems with other ip_protocols as well Dean Takemori Systems Support Supervisor TD Food Group dtakemori () thdfsg com
------------------------------------------------------------------------------ The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- non TCP/UDP/ICMP pass rules not working? DTakemori (Feb 04)
- Re: non TCP/UDP/ICMP pass rules not working? Russ Combs (Feb 04)