Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Same source/dest

From: "Brei, Matt" <mbrei () medclaiminc com>
Date: Wed, 2 Apr 2003 13:48:35 -0500
How do I go about adding a BPF, and what is a BPF as long as I'm asking
how to add one?  Thank you.

-----Original Message-----
From: Erek Adams [mailto:erek () snort org] 
Sent: Wednesday, April 02, 2003 11:59 AM
To: Brei, Matt
Cc: snort-users
Subject: RE: [Snort-users] Same source/dest

On Wed, 2 Apr 2003, Brei, Matt wrote:


That's exactly what I did.  I'll refer you to my first post seen

below.


  pass ip 10.13.110.254 53 -> 10.13.110.254 1026 (msg:"BAD TRAFFIC

same SRC/DST"; sameip; reference:cve,CVE-1999-0016;
reference:url,www.cert.org/advisories/CA-1997-28.html;
classtype:bad-unknown; sid:527; rev:3;)


Remove the extra stuff.  It's not needed, and you're 'reusing' a SID
which
you shouldn't do.  You can shorten all that to:

        pass ip 10.13.110.254 53 -> 10.13.110.254 1026

If 1026 is what port it always hits on.  If it varries, then change it
to:

        pass ip 10.13.110.254 53 -> 10.13.110.254 any

I'm assuming that this is DNS traffic.  To reduce the chance of
something
bad slipping by you could make it:

        pass udp 10.13.110.254 53 -> 10.13.110.254 any

One thing to think about:  If you're seeing a lot of traffic of this
type,
instead of using a pass rule, use a BPF filter.  By using the BPF
filter,
you are stopping the packets from ever getting into Snort.  As minor as
that sounds, that can save you CPU cycles which is a good thing.  It
eliminates the need for the reading and parsing the pass rules, and the
comparisions to see if it should be passed.  On a heavily loaded
network,
that could be a significant savings.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb:
Dedicated Hosting for just $79/mo with 500 GB of bandwidth!
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: