FW: [Snort-users] -o and pass/alert/log usage

Joe Fico Fico at ...2391...
Wed Jun 27 13:56:59 EDT 2001


So what Olivier is saying (below) is that even with the -o option on startup
the PASS action doesn't stop a packet from continuing down the rule list
until it gets hit by a ALERT action? I'm confused what PASS is supposed to
do then...

-----Original Message-----
From: Olivier Grumelard
Sent: Tuesday, June 26, 2001 3:25 PM
To: Joe Fico
Subject: Re: [Snort-users] -o and pass/alert/log usage


"alert" rules have priority over "pass" rules, even if you write the "pass"
rule before the "alert" rule.

Hope that helps,

Olivier.

At 13:07 26/06/01 -0700, you wrote:
>Greetings all!
>
>I seem to be having problems (or misunderstandings) with the PASS option.
>
>in /etc/rc.d/init.d/snortd I have
>
>case "$1" in
>   start)
>         echo -n "Starting snort: "
>         daemon /usr/sbin/snort -o -u snort -g snort -s -d -D \
>                 -i $INTERFACE -l /var/log/snort -c /etc/snort/snort.conf
>         touch /var/lock/subsys/snort
>         echo
>         ;;
>
>in my local rules file I have
>
>alert icmp 172.16.100.9 any <- any any (msg:"NOC Server";)
>alert icmp 198.182.113.1 any <- 198.182.113.28 any (msg:"AAI ROUTER ICMP
>Redirect .28 (Network)"; itype:5; icode:0;)
>alert icmp 198.182.113.1 any <- 198.182.113.37 any (msg:"AAI ROUTER ICMP
>Redirect .37 (Network)"; itype:5; icode:0;)
>#
>pass icmp any any -> any any (msg:"PASS ICMP Echo Reply"; itype: 0; icode:
>0;)
>pass icmp any any -> any any (msg:"PASS ICMP Echo Request"; itype: 8;
icode:
>0;)
>pass icmp $HOME_NET any <> $HOME_NET any (msg:"PASSING ICMP $HOME_NET
any ->
>$HOME_NET any ";)
>pass icmp $HOME_NET any <> $HOME_NET any (msg:"PASSING ICMP REDIRECT
>$HOME_NET any -> $HOME_NET any ";itype:5; icode:0;)
>alert icmp $HOME_NET any <> $HOME_NET any (msg:"ALERTING ICMP $HOME_NET
>any -> $HOME_NET any ";itype:5; icode:0;)
>#
>
>
>and sure enough I get
>
>Jun 26 15:42:34 localhost snort[3570]: AAI ROUTER ICMP Redirect .37
>(Network): 198.182.113.1 -> 198.182.113.37
>
>This is good I know I can write at least one rule right :)
>
>but I also get
>
>Jun 26 15:42:55 localhost snort[3570]: ICMP Redirect (Network):
>198.182.113.1 -> 198.182.113.83
>
>First off shouldn't it have gotten taken care of by one of the PASS rules I
>wrote?
>Second do PASS rules get logged like I wrote the above rules? How do I know
>I am passing something successfully besides that it never shows up again.
>
>
>Thanks.
>
>
>J
>
>
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>http://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list