[Snort-sigs] Pass rule problem

Ian Macdonald secsnortsigs at ...644...
Fri Feb 21 14:51:06 EST 2003


I have something like
pass tcp 192.168.10.10 any <> 192.168.120.10 443 (msg: "LOCAL known
traffic";)
alert tcp any any -> any any (msg: "catch all rule";
classtype:policy-violation;)

the idea is that I want to log everthing that is not know traffic.
However I am still getting events bing triggered by
192.168.120.10:443 -> 192.168.10.10:37797
and
192.168.10.10:37797->192.168.120.10:443
which I thought would have been bypassed by the pass rule. I am running with
the -o option.

Any ideas? snort 1.9.0





More information about the Snort-sigs mailing list