[Snort-users] Doubt about rules
erek at ...577...
Thu Feb 28 03:32:04 EST 2002
On Thu, 28 Feb 2002, Sonika Malhotra wrote:
> Hello List,
> I have a doubt ( i had posted the question before also with no replies!)
> if i write rules as follows-
> pass any any -> my.server.ip.addr/32 25
> pass any any -> my.server.ip.addr/32 53
> alert any any -> my.server.ip.addr/32 any
> and run snort with -o option set. then:
> 1. snort is going to pass all
> traffic for 25 and 53 port , but alert on other ports but in this case is
> the "attack signature check" done for 25 and 53 or these packets are just
> passed without any check.
Pass rules are just that. They tell snort to skip checks and "ignore" any
packets that match this rule.
> 2. and what is the difference between alert and log.(except for
> the diff. files)
See this: http://www.theadamsfamily.net/~erek/snort/logging_methods.txt for
the real dirt on it.
More information about the Snort-users