FW: [Snort-users] -o and pass/alert/log usage

Joe Fico Fico at ...2391...
Wed Jun 27 13:56:59 EDT 2001

So what Olivier is saying (below) is that even with the -o option on startup
the PASS action doesn't stop a packet from continuing down the rule list
until it gets hit by a ALERT action? I'm confused what PASS is supposed to
do then...

-----Original Message-----
From: Olivier Grumelard
Sent: Tuesday, June 26, 2001 3:25 PM
To: Joe Fico
Subject: Re: [Snort-users] -o and pass/alert/log usage

"alert" rules have priority over "pass" rules, even if you write the "pass"
rule before the "alert" rule.

Hope that helps,


At 13:07 26/06/01 -0700, you wrote:
>Greetings all!
>I seem to be having problems (or misunderstandings) with the PASS option.
>in /etc/rc.d/init.d/snortd I have
>case "$1" in
>   start)
>         echo -n "Starting snort: "
>         daemon /usr/sbin/snort -o -u snort -g snort -s -d -D \
>                 -i $INTERFACE -l /var/log/snort -c /etc/snort/snort.conf
>         touch /var/lock/subsys/snort
>         echo
>         ;;
>in my local rules file I have
>alert icmp any <- any any (msg:"NOC Server";)
>alert icmp any <- any (msg:"AAI ROUTER ICMP
>Redirect .28 (Network)"; itype:5; icode:0;)
>alert icmp any <- any (msg:"AAI ROUTER ICMP
>Redirect .37 (Network)"; itype:5; icode:0;)
>pass icmp any any -> any any (msg:"PASS ICMP Echo Reply"; itype: 0; icode:
>pass icmp any any -> any any (msg:"PASS ICMP Echo Request"; itype: 8;
>pass icmp $HOME_NET any <> $HOME_NET any (msg:"PASSING ICMP $HOME_NET
any ->
>$HOME_NET any ";)
>pass icmp $HOME_NET any <> $HOME_NET any (msg:"PASSING ICMP REDIRECT
>$HOME_NET any -> $HOME_NET any ";itype:5; icode:0;)
>alert icmp $HOME_NET any <> $HOME_NET any (msg:"ALERTING ICMP $HOME_NET
>any -> $HOME_NET any ";itype:5; icode:0;)
>and sure enough I get
>Jun 26 15:42:34 localhost snort[3570]: AAI ROUTER ICMP Redirect .37
>(Network): ->
>This is good I know I can write at least one rule right :)
>but I also get
>Jun 26 15:42:55 localhost snort[3570]: ICMP Redirect (Network):
> ->
>First off shouldn't it have gotten taken care of by one of the PASS rules I
>Second do PASS rules get logged like I wrote the above rules? How do I know
>I am passing something successfully besides that it never shows up again.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list