[Snort-users] Snort Rules

Koaps koaps at ...1804...
Fri Apr 13 14:10:44 EDT 2001

I tried using the pass syntax like this

pass tcp any -> any

and now Snort causes a Dr.Watson Error when I run it....


 < o,0 >
   \ /


----- Original Message ----- 
From: "A.L.Lambert" <max at ...1806...>
To: "Koaps" <koaps at ...1804...>
Cc: "Snort" <snort-users at lists.sourceforge.net>
Sent: Wednesday, April 11, 2001 4:08 PM
Subject: Re: [Snort-users] Snort Rules

> I need to make Snort Not track stuff from 4 class C's
> how do you do this?
> I tried setting Homenet to the Networks
> [,,,] But I
> still get Tons on Tons of Tons of chatter between boxes on those
> networks
> I want it to track only things not from those Networks.

Depends on what you mean by only things not from those
networks.  If you mean you want those networks to become 'invisible' to
snort, try using a BPF filter like this:

not net and not net and ...

If you mean you don't want those inter-network chatter to be
picked up, but you still want to know what goes on between those networks
and the outside world, you might want to write snort pass rules (remember
to start snort with "-o" to make pass rules evaluate as expected), with
each possibility of the networks that you want to be able to talk without
being seen by snort.

And a final piece of advice, the rules that are setting off the
alert's on inter-network chatter, are likely generating way too many false
alerts to be of any use to you anyway; I myself would rather comment out
some rules I know to watch for relatively harmless traffic but set off a
lot of false alerts, rather than make entire subnets invisible to snort.


-- A.L.Lambert
The problems that exist in the world today cannot be solved by the level
of thinking that created them...

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list