[Snort-users] permit rules

James Hoagland hoagland at ...47...
Sun Jan 21 11:57:00 EST 2001


At 5:11 PM +0300 1/21/01, konsul at ...1169... wrote:
>Hello again. I have following situation. In my network, present
>server, which monitoring net devices (cisco, servers, services e.t.c)
>this machine, generate lot of traffic, which log into snort alert's
>(usualy ICMP ), for passing this trafic throuhg snort, i'm set up
>next string in the snort.conf, befor 'include' keywords.
>pass tcp x.x.x.x/32 any > y.y.y.0/24 any
>pass udp x.x.x.x/32 any > y.y.y.0/24 any
>pass icmp x.x.x.x/32 any > y.y.y.0/24 any
>where x.x.x.x - server address, and y.y.y.0/24 - my subnet, but it's
>has no effect. traffic from this host logging to alert again. What is
>it ?

Konsul,

Try adding -o to your Snort startup line if you don't have it 
already.  That gives pass rules priority over alert rules.

Regards,

   Jim
-- 
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland at ...47...                *|
|*              http://www.silicondefense.com/              *|
|*  Voice: (530) 756-7317              Fax: (707) 445-4222  *|




More information about the Snort-users mailing list