From: Cunningham, Andy (acunninghamrsasecurity.com)
Date: Fri Jul 09 2004 - 11:26:22 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi there.
 
Can someone help with a problem I'm having trying to write snort rules.

 
I have a series of rules to either pass legitimate traffic or alert on
certain events. Finally I have a catch all rule to alert on any packet
not covered by the above. I've changed the rule order with -o so that
pass rules have the desired effect, and this seems to be working.
 
pass udp $SRC any <> $DEST $PORT (classtype:ignore)
alert ip any any -> any any (msg: "Unexpected unclassified traffic";
classtype: unexpected-traffic; )

 
 
These rules work fine for most of the traffic, but when I get a
fragmented UDP packet come through, the fragment causes the altert to be
generated.
 
I've tried adding a fragoffset:0 into the rule to only altert if it's
the first fragment, but it doesn't seem to help.
 
Can anyone suggest what I might be doing wrong?
 
Thanks in advance
 
 

-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]