[Snort-sigs] pass rules
mkettler at ...189...
Mon Oct 27 11:12:27 EST 2003
At 04:00 AM 10/24/2003, edmund.li at ...1981... wrote:
>May I know how can I make the pass rules ?
>SCAN UPnP service discover attempt, it happens for all XP PC ...
>alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SCAN UPnP service
>discover attempt"; content:"M-SEARCH "; offset:0; depth:9;
>content:"ssdp\:discover"; classtype:network-scan; sid:1917; rev:4;)
Pass rules and BPF filters are covered in the snort FAQ, question 3.9
3.9 How do I ignore traffic coming from a particular host or hosts?
(The answer is a bit lengthy to post here, I just included the question so
you know what to look for)
However, in your case, I'd suggest removing that rule from the ruleset..
The message is warning you that the XP machine is running UPNP, and if you
don't care about hosts running UPNP, just comment out the rule rather than
More information about the Snort-sigs