[Snort-users] Pass rule

Guy Bruneau bruneau at ...126...
Tue Jul 25 05:45:15 EDT 2000


Marty,

No I didn't but I will. By the way, what is the order when not using that switch?

Guy

Martin Roesch wrote:

> Did you use the -o command line option?  Try that....
>
>    -Marty
>
> Guy Bruneau wrote:
> >
> > Hello,
> >
> > I have tried to used the pass rule and it doesn't appear to work. For
> > example, I have the following alert:
> >
> > [**] IDS247 - MISC - Large UDP Packet [**]
> > 07/24-19:17:32.790650 10.14.71.92:4361 -> 224.0.64.255:21626
> > UDP TTL:32 TOS:0x0 ID:12831
> > Len: 1144
> >
> > I would write the following rule:
> >
> > pass udp 10.14.71.92 any -> 224.0.64.255 any
> >
> > but snort isn't ignoring it. It continues to log it. Is there anything wrong
> > with this rule? If so, how should it be written?
> >
> > Thanks,
> >
> > Guy
> >
> > --
> > Guy Bruneau
> > Ma page est a/My page at: http://www.penguinpowered.com/~bruneau
> >
> >   _______________________________________________ Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
>
> --
> Martin Roesch                      <roesch at ...2...>
> Core R&D                        http://www.hiverworld.com
> Hiverworld, Inc.       Continuous Adaptive Risk Management
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users





More information about the Snort-users mailing list