[Snort-users] pass rule problem

David.Hoelzer at ...30... David.Hoelzer at ...30...
Thu Jan 25 09:26:42 EST 2001


Are you using the "Pass -> alert -> log" switch, or the default "Alert -> pass -> log"?




alexh at ...1207... on 01/25/2001 09:09:41 AM

To:   snort-users at lists.sourceforge.net
cc:    (bcc: David Hoelzer/SMC)

Subject:  [Snort-users] pass rule problem



Hi,

I've just upgraded to 1.7, which is nice[1], but I'm having a problem getting
pass rules to work.

With 1.6, I would use the rules

    pass tcp any  80 -> $HOME_NET any
    pass tcp any any -> $HOME_NET 80

    # [snip other pass rules]

    log tcp any any -> $HOME_NET :1023

to exclude web traffic from the logs. This worked fine.

However, using exactly the same rules with snort1.7, web traffic *is* being
logged.

After much commenting out of rules, I am sure that these are the culprits.
I tried altering the pass rules to

    pass tcp any 80 <> any any

but it made no difference. Am I just being my usual stupid self, or is there
a less humiliating explanation, I wonder?

[1] -- I may be understating here.
--
Alex Hooper
Senior Programmer
Clockwork Web.
+44 20 7471 0770
http://www.clockworkweb.com

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users






More information about the Snort-users mailing list