FW: [Snort-users] -o and pass/alert/log usage

Phil Wood cpw at ...440...
Wed Jun 27 21:39:01 EDT 2001


Read the README, the part about '-o', and possibly the other options you
are using.  pass has worked fine for me since I started using snort.  I'm
now at 1.8.  Not that I don't have other problems, like segmentation faults.

Anyhow, the "pass" mechanism should work just fine.

On Wed, Jun 27, 2001 at 10:56:59AM -0700, Joe Fico wrote:
> So what Olivier is saying (below) is that even with the -o option on startup
> the PASS action doesn't stop a packet from continuing down the rule list
> until it gets hit by a ALERT action? I'm confused what PASS is supposed to
> do then...
> 
> -----Original Message-----
> From: Olivier Grumelard
> Sent: Tuesday, June 26, 2001 3:25 PM
> To: Joe Fico
> Subject: Re: [Snort-users] -o and pass/alert/log usage
> 
> 
> "alert" rules have priority over "pass" rules, even if you write the "pass"
> rule before the "alert" rule.
> 
> Hope that helps,
> 
> Olivier.
> 
> At 13:07 26/06/01 -0700, you wrote:
> >Greetings all!
> >
> >I seem to be having problems (or misunderstandings) with the PASS option.
> >
> >in /etc/rc.d/init.d/snortd I have
> >
> >case "$1" in
> >   start)
> >         echo -n "Starting snort: "
> >         daemon /usr/sbin/snort -o -u snort -g snort -s -d -D \
> >                 -i $INTERFACE -l /var/log/snort -c /etc/snort/snort.conf
> >         touch /var/lock/subsys/snort
> >         echo
> >         ;;
> >
> >in my local rules file I have
> >
> >alert icmp 172.16.100.9 any <- any any (msg:"NOC Server";)
> >alert icmp 198.182.113.1 any <- 198.182.113.28 any (msg:"AAI ROUTER ICMP
> >Redirect .28 (Network)"; itype:5; icode:0;)
> >alert icmp 198.182.113.1 any <- 198.182.113.37 any (msg:"AAI ROUTER ICMP
> >Redirect .37 (Network)"; itype:5; icode:0;)
> >#
> >pass icmp any any -> any any (msg:"PASS ICMP Echo Reply"; itype: 0; icode:
> >0;)
> >pass icmp any any -> any any (msg:"PASS ICMP Echo Request"; itype: 8;
> icode:
> >0;)
> >pass icmp $HOME_NET any <> $HOME_NET any (msg:"PASSING ICMP $HOME_NET
> any ->
> >$HOME_NET any ";)
> >pass icmp $HOME_NET any <> $HOME_NET any (msg:"PASSING ICMP REDIRECT
> >$HOME_NET any -> $HOME_NET any ";itype:5; icode:0;)
> >alert icmp $HOME_NET any <> $HOME_NET any (msg:"ALERTING ICMP $HOME_NET
> >any -> $HOME_NET any ";itype:5; icode:0;)
> >#
> >
> >
> >and sure enough I get
> >
> >Jun 26 15:42:34 localhost snort[3570]: AAI ROUTER ICMP Redirect .37
> >(Network): 198.182.113.1 -> 198.182.113.37
> >
> >This is good I know I can write at least one rule right :)
> >
> >but I also get
> >
> >Jun 26 15:42:55 localhost snort[3570]: ICMP Redirect (Network):
> >198.182.113.1 -> 198.182.113.83
> >
> >First off shouldn't it have gotten taken care of by one of the PASS rules I
> >wrote?
> >Second do PASS rules get logged like I wrote the above rules? How do I know
> >I am passing something successfully besides that it never shows up again.
> >
> >
> >Thanks.
> >
> >
> >J
> >
> >
> >
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >http://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list