Snort mailing list archives

non TCP/UDP/ICMP pass rules not working?

From: DTakemori () thdfsg com
Date: Fri, 28 Jan 2011 16:11:51 -1000

Hi,

I'm trying to configure snort to alert on "unknown" IPSEC traffic on a 
network,
I have the following setup:

]# snort --version

  ,,_     -*> Snort! <*-
 o"  )~   Version 2.9.0.3 (Build 98)
  ''''    By Martin Roesch & The Snort Team:

http://www.snort.org/snort/snort-team

          Copyright (C) 1998-2010 Sourcefire, Inc., et al.
          Using libpcap version 1.1.1
          Using PCRE version: 6.6 06-Feb-2006
          Using ZLIB version: 1.2.3



In snort.conf :
config order: pass activation dynamic drop sdrop reject alert log
output alert_csv: alert.csv

In local.rules:
pass ip XXX.XXX.XXX.100 any <> XXX.XXX.XXX.101 any (ip_proto:50; 
sid:1000000; rev:1;)
pass ip XXX.XXX.XXX.100 any -> XXX.XXX.XXX.101 any (ip_proto:50; 
sid:1000001; rev:1;)
pass ip XXX.XXX.XXX.101 any -> XXX.XXX.XXX.100 any (ip_proto:50; 
sid:1000002; rev:1;)
pass ip [XXX.XXX.XXX.100,XXX.XXX.XXX.101] any -> XXX.XXX.XXX.100 any 
(ip_proto:50; sid:1000003; rev:1;)
pass ip XXX.XXX.XXX.100 any -> [XXX.XXX.XXX.100,XXX.XXX.XXX.101] any 
(ip_proto:50; sid:1000004; rev:1;)
pass ip [XXX.XXX.XXX.100,XXX.XXX.XXX.101] any <> 
[XXX.XXX.XXX.100,XXX.XXX.XXX.101] any (ip_proto:50; sid:1000005; rev:1;)
pass ip XXX.XXX.XXX.100 any <> any any (ip_proto:50; sid:1000006; rev:1;)
pass ip XXX.XXX.XXX.101 any <> any any (ip_proto:50; sid:1000007; rev:1;)

alert ip any any -> any any (msg:"Unknown IP protocol 50 traffic"; 
ip_proto:50; classtype:non-standard-protocol; sid:2000000; rev:1;)

I know the rules are highly redundant, but I've tried them separately and 
in various combinations
to no avail.  I still get alerts like this:


01/28-15:53:43.759947 ,1,2000000,1,"Unknown IP protocol 50 
traffic",,XXX.XXX.XXX.100,,XXX.XXX.XXX.101,, etc etc ...


Am I misunderstanding how the pass rules are supposed to work?  Is there 
some precedence other than the config order: that's taking place?  Note 
that I'm
having similar problems with other ip_protocols as well


Dean Takemori
Systems Support Supervisor
TD Food Group
dtakemori () thdfsg com

------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world? 
http://p.sf.net/sfu/oracle-sfdevnlfb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

non TCP/UDP/ICMP pass rules not working? DTakemori (Feb 04)
- Re: non TCP/UDP/ICMP pass rules not working? Russ Combs (Feb 04)