Snort mailing list archives

1st Attempt at writing some pass rules :-)

From: dogbert () netnevada net
Date: Fri, 23 Jul 2004 16:32:38 -0700

Hi All,

   Well, here is my first attempt at writing some pass rules to filter out the 
packets snort was complaining about earlier on the large IMCP packet (don't 
laugh, ok) :)

pass icmp 172.21.0.0/16 any -> 10.1.1.21 any (msg:"ICMP Large ICMP Packet"; 
dsize: >800; reference:arachnids,246; classtype:bad-unknown; sid:499; rev:3;)
pass icmp 172.21.0.0/16 any -> 10.1.1.23 any (msg:"ICMP Large ICMP Packet"; 
dsize: >800; reference:arachnids,246; classtype:bad-unknown; sid:499; rev:3;)
pass icmp 172.21.0.0/16 any -> 10.1.1.23 any (msg:"ICMP L3retriever Ping"; 
content: "ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; itype: 8; icode: 0; depth: 32; 
reference:arachnids,311; classtype:attempted-recon; sid:466; rev:1;)
pass icmp 172.21.0.0/16 any -> 10.1.1.21 any (msg:"ICMP L3retriever Ping"; 
content: "ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; itype: 8; icode: 0; depth: 32; 
reference:arachnids,311; classtype:attempted-recon; sid:466; rev:1;)
pass icmp 172.21.0.0/16 any -> 10.1.1.21 any (msg:"ICMP PING NMAP"; dsize: 0; 
itype: 8; reference:arachnids,162; classtype:attempted-recon; sid:469; rev:1;)

now, do I make a new file to hold these pass rules, or can I just stuff them in 
local.rules?

Also, I was reading something about alerts being processed before pass rules, 
so would I need to insert something into snort.conf to make it process PASS, 
then ALERT?  Since pass means DROP, it won't do anything with the packet, even 
if it sees it, correct?

Bill



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

1st Attempt at writing some pass rules :-) dogbert (Jul 23)
- Re: 1st Attempt at writing some pass rules :-) Keith W. McCammon (Jul 25)