[Snort-users] -o and pass/alert/log usage
Fico at ...2391...
Wed Jun 27 19:05:13 EDT 2001
Well I changed my rules to look like this.
#pass icmp 172.16.100.9/32 any <- any any (msg:"PASSING ICMP from N.A. NOC
alert icmp 172.16.100.9/32 any <- any any (msg:" ALERTING ICMP FROM N.A. NOC
and I got this message.
Jun 27 15:54:52 localhost snort: ALERTING ICMP FROM N.A. NOC Server:
172.16.100.9 -> 126.96.36.199
so thats cool now I can uncomment out the pass rule and I get...
Why don't I get a message for the pass rule?
> -----Original Message-----
> From: joey at ...47... [mailto:joey at ...47...]
> Sent: Wednesday, June 27, 2001 3:39 PM
> To: Sheahan, Paul (PCLN-NW); 'Joe Fico'
> Cc: Snort-users
> Subject: Re: [Snort-users] -o and pass/alert/log usage
> Paul: That is correct. Pass rules take precedence when -o is used,
> regardless of where they are located with respect to alert rules.
> Joe: Looking at your problem, I'm wondering if your ROUTER ICMP alert
> rules contain addresses that are outside of your HOME_NET. This would
> explain why they are not being passed on. First, make them valid
> addresses by adding the /32 netmask. Next, confirm that they do exist
> in your HOME_NET. If that doesn't help, try changing $HOME_NET in your
> pass rules to "any". Next, I would try removing the $HOME_NET variables
> from the msg field, take out the "->" in the msg field while you are at
> it. We're just making sure Snort is parsing the rule incorrectly.
> Post back with your findings.
> Hope this helps,
> -Joe M.
More information about the Snort-users