[Snort-users] Snort Rules

Martin Roesch roesch at ...421...
Thu Apr 19 00:53:57 EDT 2001


The rule should be:

pass tcp 192.168.68.0/24 any -> any any

   -Marty


Koaps wrote:
> 
> I tried using the pass syntax like this
> 
> pass tcp 192.168.68.0/24 any -> any
> 
> and now Snort causes a Dr.Watson Error when I run it....
> 
> L8rZ,
> 
>   )\_/(
>  < o,0 >
>     ~
>    \ /
> 
> KoAps
> 
> ----- Original Message -----
> From: "A.L.Lambert" <max at ...1806...>
> To: "Koaps" <koaps at ...1804...>
> Cc: "Snort" <snort-users at lists.sourceforge.net>
> Sent: Wednesday, April 11, 2001 4:08 PM
> Subject: Re: [Snort-users] Snort Rules
> 
> > I need to make Snort Not track stuff from 4 class C's
> >
> > how do you do this?
> >
> > I tried setting Homenet to the Networks
> > [192.68.3.0/24,192.168.6.0/24,192.168.22.0/24,192.168.67.0/24] But I
> > still get Tons on Tons of Tons of chatter between boxes on those
> > networks
> >
> > I want it to track only things not from those Networks.
> 
> Depends on what you mean by only things not from those
> networks.  If you mean you want those networks to become 'invisible' to
> snort, try using a BPF filter like this:
> 
> not net 192.68.3.0/24 and not net 192.168.6.0/24 and ...
> 
> If you mean you don't want those inter-network chatter to be
> picked up, but you still want to know what goes on between those networks
> and the outside world, you might want to write snort pass rules (remember
> to start snort with "-o" to make pass rules evaluate as expected), with
> each possibility of the networks that you want to be able to talk without
> being seen by snort.
> 
> And a final piece of advice, the rules that are setting off the
> alert's on inter-network chatter, are likely generating way too many false
> alerts to be of any use to you anyway; I myself would rather comment out
> some rules I know to watch for relatively harmless traffic but set off a
> lot of false alerts, rather than make entire subnets invisible to snort.
> :)
> 
> Cheers!
> 
> -- A.L.Lambert
> ------------------------------------------------------------------------
> The problems that exist in the world today cannot be solved by the level
> of thinking that created them...
> -Einstein
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list