[Snort-users] -o and pass/alert/log usage

Joe Fico Fico at ...2391...
Tue Jun 26 16:07:39 EDT 2001


Greetings all!

I seem to be having problems (or misunderstandings) with the PASS option.

in /etc/rc.d/init.d/snortd I have

case "$1" in
  start)
        echo -n "Starting snort: "
        daemon /usr/sbin/snort -o -u snort -g snort -s -d -D \
                -i $INTERFACE -l /var/log/snort -c /etc/snort/snort.conf
        touch /var/lock/subsys/snort
        echo
        ;;

in my local rules file I have

alert icmp 172.16.100.9 any <- any any (msg:"NOC Server";)
alert icmp 198.182.113.1 any <- 198.182.113.28 any (msg:"AAI ROUTER ICMP
Redirect .28 (Network)"; itype:5; icode:0;)
alert icmp 198.182.113.1 any <- 198.182.113.37 any (msg:"AAI ROUTER ICMP
Redirect .37 (Network)"; itype:5; icode:0;)
#
pass icmp any any -> any any (msg:"PASS ICMP Echo Reply"; itype: 0; icode:
0;)
pass icmp any any -> any any (msg:"PASS ICMP Echo Request"; itype: 8; icode:
0;)
pass icmp $HOME_NET any <> $HOME_NET any (msg:"PASSING ICMP $HOME_NET any ->
$HOME_NET any ";)
pass icmp $HOME_NET any <> $HOME_NET any (msg:"PASSING ICMP REDIRECT
$HOME_NET any -> $HOME_NET any ";itype:5; icode:0;)
alert icmp $HOME_NET any <> $HOME_NET any (msg:"ALERTING ICMP $HOME_NET
any -> $HOME_NET any ";itype:5; icode:0;)
#


and sure enough I get

Jun 26 15:42:34 localhost snort[3570]: AAI ROUTER ICMP Redirect .37
(Network): 198.182.113.1 -> 198.182.113.37

This is good I know I can write at least one rule right :)

but I also get

Jun 26 15:42:55 localhost snort[3570]: ICMP Redirect (Network):
198.182.113.1 -> 198.182.113.83

First off shouldn't it have gotten taken care of by one of the PASS rules I
wrote?
Second do PASS rules get logged like I wrote the above rules? How do I know
I am passing something successfully besides that it never shows up again.


Thanks.


J






More information about the Snort-users mailing list