[Snort-users] Pass rule help needed

Joe McAlerney joey at ...47...
Sat Jan 5 11:15:02 EST 2002


Hi Steve,

Passing only applies to Snort's rules and not preprocessors.  The best
you can do is add 192.168.1.20/32 to the portscan-ignorehosts plugin
list, or use a bpf filter to ignore UDP traffic to port 137 from
192.168.1.20.

HTH,

-Joe M.

-- 
Joe McAlerney
Software Developer / Security Consultant
joey at ...47...
Silicon Defense: IDS Solutions -=- http://www.silicondefense.com/

Steve Ochani wrote:
> 
> Hello,
> 
> I'm using snort 1.8.3 on a Sun ULTRA 10 with Solaris 8.
> 
> Running snort as
> 
> /opt/snort/bin/snort -o -d -D -A fast -c /opt/snort/etc/snort.conf
> 
> I'm trying to write a pass rule to not detect scans to port 137(udp) from 1 machine.
> 
> I've tried
> 
> pass udp 192.168.1.20/32 any -> any 137
> 
> and
> 
> pass udp 192.168.1.20 any -> any 137
> 
> in my local.rules which is included in my snort.conf
> 
> and I am using the -o option to run snort but I still get portscan detects from this machine to
> port 137.
> 
> I want to be able detect portscans from that machine ... just not to port 137/udp
> 
> Thanks
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list