[Snort-users] Newbie Question

Ginnetty, James JGinnetty at ...1561...
Tue Mar 13 11:02:57 EST 2001


I currently have snort 1.7 with the latest consolidated rule list up and
running on a W98 box and was trying to tone down some alerts being generated
by a number of our network management boxes. They are currently tripping the
UDP misc traceroute rule every couple of seconds because of the ttl in the
packet. So I basically copied the misc traceroute rule, added it to the
local rules file and changed the "alert" to "pass". I expected that
everything that was triggering the misc traceroute rule would then drop out
and no longer be reported on. I was then going to make the "pass" rule more
specific to IP and port so as not to miss real Traceroute issues. 

What seems to be happening is that if the local rule specifies "pass" the
packets are still being caught and logged by the misc rule. If I then change
the local rule from "pass" to "alert" then the packets are logged out of the
local rule file and not picked up a second time by the misc rules. I'm sure
this confusion is mine and results from my understanding of the logging and
alert functionality. I would have expected that packets passed would never
be logged or alerted on. I'm currently starting snort with:

snort -i5 -l C:\snort\logs -A full -c C:\snort\SnortLoc.conf -d

The snortloc.conf file is set up to do an include on the local.rules file.
Any help or workaround would be much appreciated....


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010313/0f3ad354/attachment.html>

More information about the Snort-users mailing list