[Snort-users] -o and pass/alert/log usage

Sheahan, Paul (PCLN-NW) Paul.Sheahan at ...2218...
Wed Jun 27 14:17:56 EDT 2001


I was told in another post that it doesn't matter WHERE the pass rules are
in any of the .rules files, and it doesn't matter in what order the rules
files are included in snort.conf. If you use the -o option, all pass rules
are taken into account first, then alerts. If this is wrong, I'd like to
know so I get it straight too!


-----Original Message-----
From: Joe Fico [mailto:Fico at ...2391...]
Sent: Wednesday, June 27, 2001 1:57 PM
To: Snort-users
Subject: FW: [Snort-users] -o and pass/alert/log usage


So what Olivier is saying (below) is that even with the -o option on startup
the PASS action doesn't stop a packet from continuing down the rule list
until it gets hit by a ALERT action? I'm confused what PASS is supposed to
do then...

-----Original Message-----
From: Olivier Grumelard
Sent: Tuesday, June 26, 2001 3:25 PM
To: Joe Fico
Subject: Re: [Snort-users] -o and pass/alert/log usage


"alert" rules have priority over "pass" rules, even if you write the "pass"
rule before the "alert" rule.

Hope that helps,

Olivier.

At 13:07 26/06/01 -0700, you wrote:
>Greetings all!
>
>I seem to be having problems (or misunderstandings) with the PASS option.
>
>in /etc/rc.d/init.d/snortd I have
>
>case "$1" in
>   start)
>         echo -n "Starting snort: "
>         daemon /usr/sbin/snort -o -u snort -g snort -s -d -D \
>                 -i $INTERFACE -l /var/log/snort -c /etc/snort/snort.conf
>         touch /var/lock/subsys/snort
>         echo
>         ;;
>
>in my local rules file I have
>
>alert icmp 172.16.100.9 any <- any any (msg:"NOC Server";)
>alert icmp 198.182.113.1 any <- 198.182.113.28 any (msg:"AAI ROUTER ICMP
>Redirect .28 (Network)"; itype:5; icode:0;)
>alert icmp 198.182.113.1 any <- 198.182.113.37 any (msg:"AAI ROUTER ICMP
>Redirect .37 (Network)"; itype:5; icode:0;)
>#
>pass icmp any any -> any any (msg:"PASS ICMP Echo Reply"; itype: 0; icode:
>0;)
>pass icmp any any -> any any (msg:"PASS ICMP Echo Request"; itype: 8;
icode:
>0;)
>pass icmp $HOME_NET any <> $HOME_NET any (msg:"PASSING ICMP $HOME_NET
any ->
>$HOME_NET any ";)
>pass icmp $HOME_NET any <> $HOME_NET any (msg:"PASSING ICMP REDIRECT
>$HOME_NET any -> $HOME_NET any ";itype:5; icode:0;)
>alert icmp $HOME_NET any <> $HOME_NET any (msg:"ALERTING ICMP $HOME_NET
>any -> $HOME_NET any ";itype:5; icode:0;)
>#
>
>
>and sure enough I get
>
>Jun 26 15:42:34 localhost snort[3570]: AAI ROUTER ICMP Redirect .37
>(Network): 198.182.113.1 -> 198.182.113.37
>
>This is good I know I can write at least one rule right :)
>
>but I also get
>
>Jun 26 15:42:55 localhost snort[3570]: ICMP Redirect (Network):
>198.182.113.1 -> 198.182.113.83
>
>First off shouldn't it have gotten taken care of by one of the PASS rules I
>wrote?
>Second do PASS rules get logged like I wrote the above rules? How do I know
>I am passing something successfully besides that it never shows up again.
>
>
>Thanks.
>
>
>J
>
>
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>http://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list