[Snort-users] Doubt about rules

Sonika Malhotra sonikam at ...4044...
Thu Feb 28 03:06:01 EST 2002


Hello List,
I have a doubt ( i had posted the question before also with no replies!)

if i write rules as follows-
pass any any -> my.server.ip.addr/32 25
pass any any -> my.server.ip.addr/32 53
alert any any -> my.server.ip.addr/32 any

and run snort with -o option set.
then:   1. snort is going to pass all traffic for 25 and 53 port , but
alert on other ports
but in this case is the "attack signature check" done for 25 and 53 or
these packets are just passed without any check.
        2. and what is the difference between alert and log.(except for
the diff. files)

thanx in advance
sm.





More information about the Snort-users mailing list