[Snort-users] -o and pass/alert/log usage

Joe McAlerney joey at ...47...
Wed Jun 27 18:39:10 EDT 2001


Paul: That is correct.  Pass rules take precedence when -o is used,
regardless of where they are located with respect to alert rules.

Joe:  Looking at your problem, I'm wondering if your ROUTER ICMP alert
rules contain addresses that are outside of your HOME_NET.  This would
explain why they are not being passed on.  First, make them valid
addresses by adding the /32 netmask.  Next, confirm that they do exist
in your HOME_NET.  If that doesn't help, try changing $HOME_NET in your
pass rules to "any".  Next, I would try removing the $HOME_NET variables
from the msg field, take out the "->" in the msg field while you are at
it.  We're just making sure Snort is parsing the rule incorrectly.

Post back with your findings.

Hope this helps,

-Joe M.

-- 
|   Joe McAlerney     joey at ...155...   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+
"Sheahan, Paul (PCLN-NW)" wrote:
> 
> I was told in another post that it doesn't matter WHERE the pass rules are
> in any of the .rules files, and it doesn't matter in what order the rules
> files are included in snort.conf. If you use the -o option, all pass rules
> are taken into account first, then alerts. If this is wrong, I'd like to
> know so I get it straight too!
> 
> -----Original Message-----
> From: Joe Fico [mailto:Fico at ...2391...]
> Sent: Wednesday, June 27, 2001 1:57 PM
> To: Snort-users
> Subject: FW: [Snort-users] -o and pass/alert/log usage
> 
> So what Olivier is saying (below) is that even with the -o option on startup
> the PASS action doesn't stop a packet from continuing down the rule list
> until it gets hit by a ALERT action? I'm confused what PASS is supposed to
> do then...




More information about the Snort-users mailing list