snort-devel July 2008 archive
Main Archive Page > Month Archives  > snort-devel archives
snort-devel: Re: [Snort-devel] Snort 2.8.2.1 Now Available

Re: [Snort-devel] Snort 2.8.2.1 Now Available

From: christian mock <cm_at_nospam>
Date: Thu Jul 24 2008 - 10:23:18 GMT
To: Steven Sturges <steve.sturges@sourcefire.com>


On Wed, Jul 23, 2008 at 01:13:31PM -0400, Steven Sturges wrote:

> Can you send us relevant parts of your configuration?

see below.

> How are your prioritizing rules? Priority? Use of
> -o flag (or other command-line switches)?

I have no special priority setting, and tried both "-o" (until I discovered it is disabled in the source) and "config order: pass alert log". syslog says the ordering settings are applied (e.g. "Rule application order: activation->dynamic->pass->drop->alert->log ").

> When you say "pass rules in front", what do you mean?

I'm using the following rules:

pass udp $HOME_NET any -> $HOME_NET 161
pass icmp 62.116.68.33/32 any -> $HOME_NET any pass icmp any any -> 62.116.68.35/32 any pass tcp 62.116.68.34/32 873 <> 62.116.68.38/32 any pass icmp 192.168.1.128 any -> any any
pass udp any any -> 192.168.1.1 53
alert icmp any any -> any any (msg:"ICMP"; sid:1234567; rev:1;) alert udp any any -> any 53 (msg:"DNS"; sid:1234568; rev:1;)

I do a DNS lookup and a ping from 192.168.1.128 to 192.168.1.1, and I get:

07/24-12:04:39.037287 [**] [1:1234568:1] DNS [**] [Priority: 0] {UDP} 192.168.1.128:36850 -> 192.168.1.1:53 07/24-12:04:39.038440 [**] [1:1234567:1] ICMP [**] [Priority: 0] {ICMP} 192.168.1.128 -> 192.168.1.1

Both should be passed by rules #5 and #6. When I delete rules #1-#4, it works as expected. When I reorder the rules, it also works:

pass icmp 192.168.1.128 any -> any any
pass udp any any -> 192.168.1.1 53
pass udp $HOME_NET any -> $HOME_NET 161
pass icmp 62.116.68.33/32 any -> $HOME_NET any pass icmp any any -> 62.116.68.35/32 any pass tcp 62.116.68.34/32 873 <> 62.116.68.38/32 any alert icmp any any -> any any (msg:"ICMP"; sid:1234567; rev:1;) alert udp any any -> any 53 (msg:"DNS"; sid:1234568; rev:1;)

I attach the snort.conf I'm using which is derived from the distributed version with the necessary adaptations.

Let me know if I can help with more info,

cm. -- Christian Mock Wiedner Hauptstr. 15 Senior Security Engineer 1040 Wien CoreTEC IT Security Solutions GmbH +43-1-5037273

------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

_______________________________________________ Snort-devel mailing list Snort-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/snort-devel