[Snort-users] Snort Rules

Colin Wu wucolin at ...2195...
Thu Jun 7 20:18:09 EDT 2001


Don't you also need to specify the protocol?  i.e. tcp, udp, or icmp?

pass tcp 205.144.151.100/32 any -> 205.144.151.83/32 any
pass udp 205.144.151.100/32 any -> 205.144.151.83/32 any

Neil Dickey wrote:

> Brian Carpio <carb02 at ...2172...>wrote asking:
>
> >I have created a rule
> >
> >pass 205.144.151.100/32 any -> 205.144.151.83/32 any
> >
> >
> >but messages are still getting recored in the /var/adm/messages from ICMP
> >Requests from this box.. what's wrong with my rule?? does the order of
> >rules in the snort.conf file regulate this?? Which takes presence a pass
> >rule or an alert rule??
>
> It depends.  If you are using the '-o' switch when invoking snort, then
> pass rules have precedence over alert rules.  If you aren't, then alert
> rules have precedence.  Check to be sure that you are using this switch.
>
> Best regards,
>
> Neil Dickey, Ph.D.
> Research Associate/Sysop
> Geology Department
> Northern Illinois University
> DeKalb, Illinois
> 60115
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Colin Wu






More information about the Snort-users mailing list