[Snort-users] Snort Rules

Brian Carpio carb02 at ...2172...
Thu Jun 7 17:53:12 EDT 2001

I have created a rule in my local.rules file (which is included in the
snort.conf file and the other rules in that file work but one)

I have a monitor server which snort records as 

Jun  7 15:50:54 prod-backup snort[3682]: [ID 244969 auth.alert] ICMP Echo
Request *NIX: ->

that's from /var/adm/messages

I have created a rule 

pass any -> any 

but messages are still getting recored in the /var/adm/messages from ICMP
Requests from this box.. what's wrong with my rule?? does the order of
rules in the snort.conf file regulate this?? Which takes presence a pass
rule or an alert rule??

Brian Carpio

More information about the Snort-users mailing list