[Snort-users] Snort Rules

Brian Carpio carb02 at ...2172...
Thu Jun 7 17:53:12 EDT 2001


I have created a rule in my local.rules file (which is included in the
snort.conf file and the other rules in that file work but one)

I have a monitor server which snort records as 

Jun  7 15:50:54 prod-backup snort[3682]: [ID 244969 auth.alert] ICMP Echo
Request *NIX: 205.144.151.100 -> 205.144.151.83

that's from /var/adm/messages


I have created a rule 

pass 205.144.151.100/32 any -> 205.144.151.83/32 any 


but messages are still getting recored in the /var/adm/messages from ICMP
Requests from this box.. what's wrong with my rule?? does the order of
rules in the snort.conf file regulate this?? Which takes presence a pass
rule or an alert rule??


Brian Carpio






More information about the Snort-users mailing list