[Snort-sigs] pass rules

Matt Kettler mkettler at ...189...
Mon Oct 27 11:12:27 EST 2003


At 04:00 AM 10/24/2003, edmund.li at ...1981... wrote:

>Dear all,
>
>May I know how can I make the pass rules ?
>
>e.g
>
>SCAN UPnP service discover attempt, it happens for all XP PC ...
>
>Edmund
>
>
>alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SCAN UPnP service 
>discover attempt"; content:"M-SEARCH "; offset:0; depth:9; 
>content:"ssdp\:discover"; classtype:network-scan; sid:1917; rev:4;)


Pass rules and BPF filters are covered in the snort FAQ, question 3.9

http://www.snort.org/docs/FAQ.txt

         3.9 How do I ignore traffic coming from a particular host or hosts?

(The answer is a bit lengthy to post here, I just included the question so 
you know what to look for)

However, in your case, I'd suggest removing that rule from the ruleset.. 
The message is warning you that the XP machine is running UPNP, and if you 
don't care about hosts running UPNP, just comment out the rule rather than 
passing it.






More information about the Snort-sigs mailing list