Snort mailing list archives

Help with pass rule

From: francisv () dagupan com
Date: Wed, 28 Aug 2002 14:33:41 +0800

Hi,

I have the following configuration:

var HOME_NET 192.168.0.0/22
var SERVER_NET 192.168.1.128/25
var DIALUP_NET 192.168.1.0/25
var EXTERNAL_NET !$HOME_NET

# Ignore traffic coming from $SERVER_NET
pass ip $SERVER_NET any -> $EXTERNAL_NET any
pass tcp $SERVER_NET any -> $EXTERNAL_NET any
pass udp $SERVER_NET any -> $EXTERNAL_NET any
pass icmp $SERVER_NET any -> $EXTERNAL_NET any

# Ignore scan proxy attempts
pass tcp $EXTERNAL_NET any -> $HOME_NET 3128
pass tcp $EXTERNAL_NET any -> $HOME_NET 8080
pass tcp $EXTERNAL_NET any -> $HOME_NET 1080

The idea is to ignore traffic coming from the $SERVER_NET block going out
and ignore scan attempts from outside going inside $HOME_NET. The problem is
I still see alerts for scan proxy attempts from outside. This is how I run
snort:

        /usr/local/bin/snort -Dko -c /usr/local/etc/snort.conf

---
 francis a. vidal [bitstop network services] | http://www.bitstop.ph
 streaming media + web hosting               | http://www.keystone.ph
 v(02)330-2871,(02)330-2872; f(02)330-2873   | http://www.kuro.ph 



-------------------------------------------------------
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Help with pass rule francisv (Aug 27)
- Re: Help with pass rule Erek Adams (Aug 28)
- <Possible follow-ups>
- RE: Help with pass rule francisv (Aug 28)
  - RE: Help with pass rule Erek Adams (Aug 28)
- RE: Help with pass rule francisv (Aug 28)
  - RE: Help with pass rule Erek Adams (Aug 29)
- RE: Help with pass rule francisv (Aug 29)
  - RE: Help with pass rule Erek Adams (Aug 29)
- RE: Help with pass rule Erek Adams (Aug 29)
- RE: Help with pass rule Erek Adams (Aug 31)