|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: barre (barre
chello.be)Date: Tue Jun 18 2002 - 02:17:56 CDT
Hello,
In the following example , I want to protect my dmz and will make a
"alert"
rule for all traffic from and to my dmz.
alert any any any -> any any (msg: \"tcp dmz traffic";)
But in this case, alerts will be generated when people access my
webserver. So I make this nice pass rule to grant access to my webserver.
pass tcp !MY_NET any -> webserver 80
Because this pass rule is applied below the alert rule, I have to use the
-o option, to make sure that this previous rule makes an exception to the
other rules.
But in this scenario, I don't check the content of the pass rule for
malicious traffic using the other alert rules. But if I delete the pass
rule, it triggers the "catch all other traffic" rule.
Therefor: is there an other way to implement a "catch all traffic"
rule? Using this rule, you can write rules for all
allowed traffic , and alert for all non-defined traffic. All other
signatures (http malicious traffic for example) will still be applied to
all traffic, even if they are in the pass or catch all rules.
Someone has an idea?
Thanks a lot.
barre
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]