[Snort-users] -o and pass/alert/log usage

James Hoagland hoagland at ...47...
Thu Jun 28 11:48:04 EDT 2001


At 4:05 PM -0700 6/27/01, Joe Fico wrote:
>Well I changed my rules to look like this.
>
>#pass icmp 172.16.100.9/32 any <- any any (msg:"PASSING ICMP from N.A. NOC
>Server";)
>alert icmp 172.16.100.9/32 any <- any any (msg:" ALERTING ICMP FROM N.A. NOC
>Server";)
>
>and I got this message.
>
>Jun 27 15:54:52 localhost snort[5629]: ALERTING ICMP FROM N.A. NOC Server:
>172.16.100.9 -> 198.182.113.130
>
>so thats cool now I can uncomment out the pass rule and I get...
>
>nothing.
>
>Why don't I get a message for the pass rule?

Because pass rules do not generate alerts or messages.  They just 
stop the search for any other rule.

Kind regards,

   Jim
-- 
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland at ...47...                *|
|*              http://www.silicondefense.com/              *|
|*      Silicon Defense - Technical Support for Snort       *|
|*  Voice: (530) 756-7317              Fax: (530) 756-7297  *|




More information about the Snort-users mailing list