[Snort-users] RE: Help with pass rule

Erek Adams erek at ...577...
Sat Aug 31 07:02:03 EDT 2002


On Sat, 31 Aug 2002 francisv at ...6732... wrote:

> I think you're right, I was using the wrong command line parameters. I
> changed it to:
>
> 	/usr/local/bin/snort -D -k none -o -c /usr/local/etc/snort.conf
>
> and it doesn't log the proxy/socks scan! :) Thanks for all your help.

Woo-Hoo!  All right!  I"m glad we figured it out.

[I'm adding snort-users back onto the cc list.]

Erek


> -----Original Message-----
> From: Erek Adams [mailto:erek at ...577...]
> Sent: Saturday, August 31, 2002 2:14 AM
> To: francisv at ...6732...
> Subject: RE: Help with pass rule
>
>
> Ok, I've just tested this and I can not duplicate your issue.
>
> What I did:
>
>  1)  Create a rules file called ignore.rules with one rule in it.  pass tcp
> $EXTERNAL_NET any -> $HOME_NET 8080.
>  2)  snort -o
>  3)  Logged into a remote machine.
>  4)  On remote:  telnet <ip> 8080
>  5)  Nothing on that port, so connection refused.
>  6)  Stopped snort, looked at the stats.  No alerts, no logs, one passed.
>  7)  Removed the rule.
>  8)  Started snort with -o
>  9)  On remote:  telnet <ip> 8080
> 10)  Stopped snort, looked at the stats.  1 alert, 1 logged, none passed.
>
> Alert file was 0 bytes the first time, and 314 on the second.  include
> $RULEPATH/ignore.rules was the first including of rules, above everything.
>
> I'm running: Version 1.9.0beta6 (Build 202) on Solaris.
>
> Out of curiosity, have you done anything like that?
>
> I dug out all of your emails and noticed that you are starting it with -D -o
> and -k.  Looking at the code for -k, at about 983 in snort.c, you see that
> -k
> seems to look for a parameter.  If it is, it might be taking the next flag
> (-c) as an argument, and might be looking at the wrong config file.  Try
> running it without -D and see if there is anything useful written to the
> screen.  Then try without -D and -k and see if it makes any difference.
>
> Other than command line switches and/or snort version, I've got no idea why
> this might be happening.
>
> Sorry for taking so long to respond:  Dinner made me way to full, and it was
> goodnight to me!  :)
>
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net
>
>

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list