[Snort-users] pass rule problem

Dave Ryan dave at ...1192...
Thu Jan 25 09:13:35 EST 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

hi,

try using the -o option when initialising snort, this causes the pass rules to be processed first.

regards,
Dave.

Quoting alexh at ...1207... (alexh at ...1207...):
> Hi,
> 
> I've just upgraded to 1.7, which is nice[1], but I'm having a problem getting
> pass rules to work.
> 
> With 1.6, I would use the rules
> 
>     pass tcp any  80 -> $HOME_NET any
>     pass tcp any any -> $HOME_NET 80
> 
>     # [snip other pass rules]
> 
>     log tcp any any -> $HOME_NET :1023
> 
> to exclude web traffic from the logs. This worked fine.
> 
> However, using exactly the same rules with snort1.7, web traffic *is* being
> logged.
> 
> After much commenting out of rules, I am sure that these are the culprits.
> I tried altering the pass rules to
> 
>     pass tcp any 80 <> any any
> 
> but it made no difference. Am I just being my usual stupid self, or is there
> a less humiliating explanation, I wonder?
> 
> [1] -- I may be understating here.
> -- 
> Alex Hooper
> Senior Programmer
> Clockwork Web.
> +44 20 7471 0770
> http://www.clockworkweb.com
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

- -- 
Dave Ryan 				Default Security
http://www.default.org.uk/~dave		dave at ...1192...

GnuPG Key:      http://www.default.org.uk/~dave/gpgkey.asc
Fingerprint:    F418 C882 FF03 82A0 A99A  2720 669C E8C3 44B8 2A0F

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (OpenBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE6cDSMZpzow0S4Kg8RAqoaAJ9ND6V1uqvCP0XkK2N6rOQ9iFBM2ACdEGRX
hDByKfPOc6HSlYujnLOa3XM=
=szZW
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list