[Snort-sigs] Help on an ICMP rule: sid 486
bmc at ...95...
Wed Aug 25 14:49:13 EDT 2004
On Wed, Aug 25, 2004 at 01:56:12PM -0700, Seth Art wrote:
> Well i still would like to see if this alert started
> firing off on something new (ie. anything except
> between my sensors and my vpn pool). So this is a
> perfect case FOR a pass rule for me. Correct?
> Thanks for the -o insight. Does this mean that anyone
> using pass rules should use the -o? If not, could you
> explain to me a case where a pass rule would be useful
> in the default order of alert -> pass -> log?
The reason -o is required to use pass rules effectively is to prevent
people from shooting themselves in the foot without decent
understanding of what they are doing.
If you *really* want to pass traffic, then use -o (or "config order"
I've seen people add the following rule, expecting snort to no longer
alert on tcp traffic generated from their hosts:
pass tcp $HOME_NET any -> $EXTERNAL_NET any
Now, what do you think this will do to snort if you have left HOME_NET
and EXTERNAL_NET configured as they are by default?
More information about the Snort-sigs