[Snort-users] RE: Help with pass rule
erek at ...577...
Sat Aug 31 07:02:03 EDT 2002
On Sat, 31 Aug 2002 francisv at ...6732... wrote:
> I think you're right, I was using the wrong command line parameters. I
> changed it to:
> /usr/local/bin/snort -D -k none -o -c /usr/local/etc/snort.conf
> and it doesn't log the proxy/socks scan! :) Thanks for all your help.
Woo-Hoo! All right! I"m glad we figured it out.
[I'm adding snort-users back onto the cc list.]
> -----Original Message-----
> From: Erek Adams [mailto:erek at ...577...]
> Sent: Saturday, August 31, 2002 2:14 AM
> To: francisv at ...6732...
> Subject: RE: Help with pass rule
> Ok, I've just tested this and I can not duplicate your issue.
> What I did:
> 1) Create a rules file called ignore.rules with one rule in it. pass tcp
> $EXTERNAL_NET any -> $HOME_NET 8080.
> 2) snort -o
> 3) Logged into a remote machine.
> 4) On remote: telnet <ip> 8080
> 5) Nothing on that port, so connection refused.
> 6) Stopped snort, looked at the stats. No alerts, no logs, one passed.
> 7) Removed the rule.
> 8) Started snort with -o
> 9) On remote: telnet <ip> 8080
> 10) Stopped snort, looked at the stats. 1 alert, 1 logged, none passed.
> Alert file was 0 bytes the first time, and 314 on the second. include
> $RULEPATH/ignore.rules was the first including of rules, above everything.
> I'm running: Version 1.9.0beta6 (Build 202) on Solaris.
> Out of curiosity, have you done anything like that?
> I dug out all of your emails and noticed that you are starting it with -D -o
> and -k. Looking at the code for -k, at about 983 in snort.c, you see that
> seems to look for a parameter. If it is, it might be taking the next flag
> (-c) as an argument, and might be looking at the wrong config file. Try
> running it without -D and see if there is anything useful written to the
> screen. Then try without -D and -k and see if it makes any difference.
> Other than command line switches and/or snort version, I've got no idea why
> this might be happening.
> Sorry for taking so long to respond: Dinner made me way to full, and it was
> goodnight to me! :)
> Erek Adams
More information about the Snort-users