[Snort-users] Help with pass rule

francisv at ...6732... francisv at ...6732...
Thu Aug 29 17:03:22 EDT 2002

But I'm sure what Snort is catching is an alert based on the ACID report :|

-----Original Message-----
From: Erek Adams [mailto:erek at ...577...] 
Sent: Thursday, August 29, 2002 10:32 PM
To: francisv at ...6732...
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Help with pass rule

On Thu, 29 Aug 2002 francisv at ...6732... wrote:

> I have defined the following:
> 	var HOME_NET
> However, there are still things that are not clear to me. If I changed the
> ordering of snort to pass->alert->log instead of alert->pass->log using
> option "o", why do I still get alerts from scan proxy/socks alert even if
> allowed it to pass?
> 	pass tcp $EXTERNAL_NET any -> $HOME_NET 8080
> 	pass tcp $EXTERNAL_NET any -> $HOME_NET 3128
> 	pass tcp $EXTERNAL_NET any -> $HOME_NET 1080
> Is it a bug or a feature?

Feature.  :)

If you look you'll see that what generated those alerts isn't a rule, but a
preprocessor.  spp_portscan or spp_portscan2 aren't affected by the pass
rules.  They only use the portscan_ignorehosts config option.

If you would like to ignore this traffic and lighten the load on snort, then
use a BPF filter.  Start snort with somthing like "snort <your options> 'not
(net and port 1080) and not (net amd port
3128)'".  See the tcpdump man page for more info on how to write the BPF


Erek Adams

More information about the Snort-users mailing list