[Snort-users] -o and pass/alert/log usage
joey at ...47...
Wed Jun 27 18:39:10 EDT 2001
Paul: That is correct. Pass rules take precedence when -o is used,
regardless of where they are located with respect to alert rules.
Joe: Looking at your problem, I'm wondering if your ROUTER ICMP alert
rules contain addresses that are outside of your HOME_NET. This would
explain why they are not being passed on. First, make them valid
addresses by adding the /32 netmask. Next, confirm that they do exist
in your HOME_NET. If that doesn't help, try changing $HOME_NET in your
pass rules to "any". Next, I would try removing the $HOME_NET variables
from the msg field, take out the "->" in the msg field while you are at
it. We're just making sure Snort is parsing the rule incorrectly.
Post back with your findings.
Hope this helps,
| Joe McAlerney joey at ...155... |
| Silicon Defense - Technical Support for Snort |
| http://www.silicondefense.com/ |
"Sheahan, Paul (PCLN-NW)" wrote:
> I was told in another post that it doesn't matter WHERE the pass rules are
> in any of the .rules files, and it doesn't matter in what order the rules
> files are included in snort.conf. If you use the -o option, all pass rules
> are taken into account first, then alerts. If this is wrong, I'd like to
> know so I get it straight too!
> -----Original Message-----
> From: Joe Fico [mailto:Fico at ...2391...]
> Sent: Wednesday, June 27, 2001 1:57 PM
> To: Snort-users
> Subject: FW: [Snort-users] -o and pass/alert/log usage
> So what Olivier is saying (below) is that even with the -o option on startup
> the PASS action doesn't stop a packet from continuing down the rule list
> until it gets hit by a ALERT action? I'm confused what PASS is supposed to
> do then...
More information about the Snort-users