[Snort-users] Doubt about rules

Erek Adams erek at ...577...
Thu Feb 28 03:32:04 EST 2002

On Thu, 28 Feb 2002, Sonika Malhotra wrote:

> Hello List,
> I have a doubt ( i had posted the question before also with no replies!)
> if i write rules as follows-
> pass any any -> my.server.ip.addr/32 25
> pass any any -> my.server.ip.addr/32 53
> alert any any -> my.server.ip.addr/32 any
> and run snort with -o option set. then:
> 1. snort is going to pass all
> traffic for 25 and 53 port , but alert on other ports but in this case is
> the "attack signature check" done for 25 and 53 or these packets are just
> passed without any check.

Pass rules are just that.  They tell snort to skip checks and "ignore" any
packets that match this rule.

>         2. and what is the difference between alert and log.(except for
> the diff. files)

See this:  http://www.theadamsfamily.net/~erek/snort/logging_methods.txt for
the real dirt on it.


Erek Adams

More information about the Snort-users mailing list