[Snort-sigs] Help on an ICMP rule: sid 486

Brian bmc at ...95...
Wed Aug 25 14:49:13 EDT 2004


On Wed, Aug 25, 2004 at 01:56:12PM -0700, Seth Art wrote:
> Well i still would like to see if this alert started
> firing off on something new (ie. anything except
> between my sensors and my vpn pool).  So this is a
> perfect case FOR a pass rule for me.  Correct?  
> 
> Thanks for the -o insight.  Does this mean that anyone
> using pass rules should use the -o?  If not, could you
> explain to me a case where a pass rule would be useful
> in the default order of alert -> pass -> log?

The reason -o is required to use pass rules effectively is to prevent
people from shooting themselves in the foot without decent
understanding of what they are doing.

If you *really* want to pass traffic, then use -o (or "config order"
in snort.conf).

I've seen people add the following rule, expecting snort to no longer
alert on tcp traffic generated from their hosts:

    pass tcp $HOME_NET any -> $EXTERNAL_NET any 

Now, what do you think this will do to snort if you have left HOME_NET
and EXTERNAL_NET configured as they are by default? 

-b




More information about the Snort-sigs mailing list