[Snort-users] Rules

Enrico M.V. Fasanelli Enrico.M.V.Fasanelli at ...4883...
Mon Feb 11 06:19:05 EST 2002


    Hi all,

    I run snort-mysql-1.8.3-5 on a RH7.2 box

    I've written the following rule (in the local.rule)

var LNF_AFS_SERVERS [193.206.84.121/32,193.206.84.123/32]

pass udp $LNF_AFS_SERVERS 7000:7009 <> $HOME_NET 7000:7009

     Where HOME_NET is defined in the main snort.conf as

var HOME_NET [192.84.152.0/24,193.206.152.0/23]

     and started the snortd with the -o flag. But:


Generated by ACID v0.9.6b20 on Mon February 11, 2002 13:28:54


------------------------------------------------------------------------------
#(1 - 7075) [2002-02-07 11:12:13] [arachNIDS/247]  MISC Large UDP Packet
IPv4: 193.206.84.121 -> 193.206.152.113
      hlen=5 TOS=0 dlen=4284 ID=52436 flags=0 offset=0 TTL=23 chksum=21973
UDP:  port=7000 -> dport: 7001 len=4264
Payload:  length = 4064


     Why snort refuse to follow my "pass" rule?

     How can I tell snortd to do not log this kind of traffic?


     Ciao
				Enrico


      Enrico M.V. Fasanelli          Phone +39 0832 320.435/448
Istituto Nazionale Fisica Nucleare   Fax   +39 0832 325128
       Sezione di Lecce              mailto:Enrico.M.V.Fasanelli at ...4883...
  Servizio di Calcolo & Reti         Via per Arnesano, I-73100 LECCE (Italy)










More information about the Snort-users mailing list