[Snort-users] Snort Rules
carb02 at ...2172...
Thu Jun 7 17:53:12 EDT 2001
I have created a rule in my local.rules file (which is included in the
snort.conf file and the other rules in that file work but one)
I have a monitor server which snort records as
Jun 7 15:50:54 prod-backup snort: [ID 244969 auth.alert] ICMP Echo
Request *NIX: 188.8.131.52 -> 184.108.40.206
that's from /var/adm/messages
I have created a rule
pass 220.127.116.11/32 any -> 18.104.22.168/32 any
but messages are still getting recored in the /var/adm/messages from ICMP
Requests from this box.. what's wrong with my rule?? does the order of
rules in the snort.conf file regulate this?? Which takes presence a pass
rule or an alert rule??
More information about the Snort-users