[Snort-users] Pass rule

Martin Roesch roesch at ...1...
Tue Jul 25 09:51:48 EDT 2000


Alert->Pass->Log

It's done that way by default to keep one errant pass rule from wiping out all
of you alert rules.

    -Marty

Guy Bruneau wrote:
> 
> Marty,
> 
> No I didn't but I will. By the way, what is the order when not using that switch?
> 
> Guy
> 
> Martin Roesch wrote:
> 
> > Did you use the -o command line option?  Try that....
> >
> >    -Marty
> >
> > Guy Bruneau wrote:
> > >
> > > Hello,
> > >
> > > I have tried to used the pass rule and it doesn't appear to work. For
> > > example, I have the following alert:
> > >
> > > [**] IDS247 - MISC - Large UDP Packet [**]
> > > 07/24-19:17:32.790650 10.14.71.92:4361 -> 224.0.64.255:21626
> > > UDP TTL:32 TOS:0x0 ID:12831
> > > Len: 1144
> > >
> > > I would write the following rule:
> > >
> > > pass udp 10.14.71.92 any -> 224.0.64.255 any
> > >
> > > but snort isn't ignoring it. It continues to log it. Is there anything wrong
> > > with this rule? If so, how should it be written?
> > >
> > > Thanks,
> > >
> > > Guy
> > >
> > > --
> > > Guy Bruneau
> > > Ma page est a/My page at: http://www.penguinpowered.com/~bruneau
> > >
> > >   _______________________________________________ Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > http://lists.sourceforge.net/mailman/listinfo/snort-users
> >
> > --
> > Martin Roesch                      <roesch at ...2...>
> > Core R&D                        http://www.hiverworld.com
> > Hiverworld, Inc.       Continuous Adaptive Risk Management
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch                      <roesch at ...2...>
Core R&D                         http://www.hiverworld.com
Hiverworld, Inc.       Continuous Adaptive Risk Management




More information about the Snort-users mailing list