[Snort-users] Snort Rules

Neil Dickey neil at ...1633...
Thu Jun 7 18:02:45 EDT 2001

Brian Carpio <carb02 at ...2172...>wrote asking:

>I have created a rule 
>pass any -> any 
>but messages are still getting recored in the /var/adm/messages from ICMP
>Requests from this box.. what's wrong with my rule?? does the order of
>rules in the snort.conf file regulate this?? Which takes presence a pass
>rule or an alert rule??

It depends.  If you are using the '-o' switch when invoking snort, then
pass rules have precedence over alert rules.  If you aren't, then alert
rules have precedence.  Check to be sure that you are using this switch.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois

More information about the Snort-users mailing list