Snort mailing list archives
Re: Rules: reliably ignoring a host
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 06 Aug 2001 07:36:54 -0400
Isn't NFS on port 2049 instead of 2409? Barring that being the problem,
check the last line of Snort's output before the "Initialization
Complete" message, it should say something like:
Rule application order: ->pass->activation->dynamic->alert->log
If "pass" isn't the first thing there, then something's wrong. If all
you want to do is completely ignore this machine's NFS traffic, try a
BPF filter if all else fails:
snort -t /var/log/snort -l . -b -c config/snort.conf -o -A fast -m 037
-y not port 2049
-Marty
Chris Adams wrote:
We have a busy NFS server which generates a great deal of traffic to
most of our machines, including the host running snort. I added it to
the portscan ignore list, which worked fine. I want to ignore all NFS
traffic from this system for everything else, particularly since it
triggers things like the x86 NOP alerts (all those x86 binaries being
served...).
Here's the command-line I'm using with snort 1.8p1:
snort -t /var/log/snort -l . -b -c config/snort.conf -o -A fast -m 037 -y
Here are the pass rules:
pass udp any any -> server 2409
pass udp server 2409 -> any any
I've also tested with any instead of the NFS port (I'd like to watch for
other UDP activity). Unfortunately, I'm still getting thousands of
alerts like these:
08/05/01-20:02:58.497460 [**] [1:648:2] SHELLCODE x86 NOOP [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {UDP}
NFS_SERVER -> NFS_CLIENT
8/05/01-22:04:52.572829 [**] [1:651:2] SHELLCODE x86 stealth NOOP [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {UDP}
NFS_SERVER -> NFS_CLIENT
I've changed my config to do something I should have done earlier
($HOME_NET = network/24; $EXTERNAL_NET = !$HOME_NET) which looks like it
would solve this but I was wondering if anyone could shed some light on
*why* this happened.
I was under the impression that since the -o flag causes all pass rules
to be applied before any alert rules the two pass rules would thus
remove any UDP traffic to or from that server. Obviously, this wasn't
happening and I haven't figured out why, despite some quality time with
the manuals and google. Can anyone shed some light on this?
Chris
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch roesch () sourcefire com http://www.sourcefire.com - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rules: reliably ignoring a host Chris Adams (Aug 05)
- Re: Rules: reliably ignoring a host Martin Roesch (Aug 06)
- Re: Rules: reliably ignoring a host Chris Adams (Aug 06)
- Re: Rules: reliably ignoring a host Martin Roesch (Aug 06)