Snort mailing list archives
Pass rules - no effect/not working
From: Ward Sladek <wsladekjr () hotmail com>
Date: Sat, 26 Jan 2013 02:53:50 -0600
I have several pass rules in which I continue to get alerts for and need some help figuring out why... Some of them
are very basic rules, just host/port -> host/port.
I'm running Snort version 2.9.4 GRE (Build 40) on CentOS 6.3 and here is my rule order config:
config order: pass activation dynamic drop sdrop reject alert log
Sample pass rules that are not working:
pass tcp 10.16.135.95 947 -> 10.16.135.2 2049 (msg:"LOCAL NFS traffic due to Xen Storage Repository";
classtype:pass-rule; sid:1000; rev:2;)
pass tcp 10.16.135.2 2049 -> 10.16.135.95 947 (msg:"LOCAL NFS traffic due to Xen Storage Repository";
classtype:pass-rule; sid:1001; rev:2;)
And the alerts that should not be triggering:
Jan 26 02:00:09 dev01 snort[34315]: [1:1394:14] INDICATOR-SHELLCODE x86 inc ecx NOOP [Classification: Executable code
was detected] [Priority: 2] {TCP} 10.16.135.95:947 -> 10.16.135.2:2049
Jan 25 23:03:43 dev01 snort[20698]: [1:2000428:10] ET POLICY ZIP file download [Classification: Misc activity]
[Priority: 3] {TCP} 10.16.135.2:2049 -> 10.16.135.95:947
Solutions I've tried:
1. Separating the pass rule into two directional rules (as seen above) instead of using just one rule with
bidirectional operator
2. Configured the event_queue to order by priority, then made a custom classtype "pass-rule" with the highest priority
of "1", incrementing all others +1 (hoping this would ensure my pass rules are processed first)
2. Ran it through Dumbpig just to be sure... It reports two problems, however they're unrelated to this: "TCP/UDP
rule with no deep packet checks?" and "TCP, without flow."
Any idea what I may be doing wrong or why I'm still getting alerts?
Thanks in advance,
-W ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Pass rules - no effect/not working Ward Sladek (Jan 26)
- Re: Pass rules - no effect/not working Jeremy Hoel (Jan 27)
- Re: Pass rules - no effect/not working Ward Sladek (Jan 30)
- Re: Pass rules - no effect/not working Jeremy Hoel (Jan 27)