[Snort-users] Snort Rules
wucolin at ...2195...
Thu Jun 7 20:18:09 EDT 2001
Don't you also need to specify the protocol? i.e. tcp, udp, or icmp?
pass tcp 18.104.22.168/32 any -> 22.214.171.124/32 any
pass udp 126.96.36.199/32 any -> 188.8.131.52/32 any
Neil Dickey wrote:
> Brian Carpio <carb02 at ...2172...>wrote asking:
> >I have created a rule
> >pass 184.108.40.206/32 any -> 220.127.116.11/32 any
> >but messages are still getting recored in the /var/adm/messages from ICMP
> >Requests from this box.. what's wrong with my rule?? does the order of
> >rules in the snort.conf file regulate this?? Which takes presence a pass
> >rule or an alert rule??
> It depends. If you are using the '-o' switch when invoking snort, then
> pass rules have precedence over alert rules. If you aren't, then alert
> rules have precedence. Check to be sure that you are using this switch.
> Best regards,
> Neil Dickey, Ph.D.
> Research Associate/Sysop
> Geology Department
> Northern Illinois University
> DeKalb, Illinois
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users