[Snort-users] permit rules
hoagland at ...47...
Sun Jan 21 11:57:00 EST 2001
At 5:11 PM +0300 1/21/01, konsul at ...1169... wrote:
>Hello again. I have following situation. In my network, present
>server, which monitoring net devices (cisco, servers, services e.t.c)
>this machine, generate lot of traffic, which log into snort alert's
>(usualy ICMP ), for passing this trafic throuhg snort, i'm set up
>next string in the snort.conf, befor 'include' keywords.
>pass tcp x.x.x.x/32 any > y.y.y.0/24 any
>pass udp x.x.x.x/32 any > y.y.y.0/24 any
>pass icmp x.x.x.x/32 any > y.y.y.0/24 any
>where x.x.x.x - server address, and y.y.y.0/24 - my subnet, but it's
>has no effect. traffic from this host logging to alert again. What is
Try adding -o to your Snort startup line if you don't have it
already. That gives pass rules priority over alert rules.
|* Jim Hoagland, Associate Researcher, Silicon Defense *|
|* hoagland at ...47... *|
|* http://www.silicondefense.com/ *|
|* Voice: (530) 756-7317 Fax: (707) 445-4222 *|
More information about the Snort-users