[Snort-users] Help with pass rule

Erek Adams erek at ...577...
Tue Aug 27 23:59:02 EDT 2002


On Wed, 28 Aug 2002 francisv at ...6732... wrote:

[...good info snipped...]

> The idea is to ignore traffic coming from the $SERVER_NET block going out
> and ignore scan attempts from outside going inside $HOME_NET. The problem is
> I still see alerts for scan proxy attempts from outside. This is how I run
> snort:
>
> 	/usr/local/bin/snort -Dko -c /usr/local/etc/snort.conf

Welcome to the club.  ;)  Snort variables ($HOME_NET) do not get sent to the
pre-processers or the plugins.

If you write a pass rule, it needs to also be in the portscan_ignorehosts so
that the portscan plugin does not see it as a scan.

Hope that helsp!  Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list