[Snort-users] Unable to get Pass rules to ignore some traffic.
David E. Gianndrea
daveg at ...4357...
Wed Jul 17 14:05:02 EDT 2002
Im having an issue where im trying to keep down my false alerts for valid
traffic between hosts by using pass rules. As an example...
var HOME_NET 220.127.116.11/16
var EXTERNAL_NET !$HOME_NET
var BRANCH_NETS [18.104.22.168/16,22.214.171.124/16,126.96.36.199/16]
pass udp $BRANCH_NETS any -> x.x.0.2 162 (msg:"SNMP trap udp";
reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013; sid:1419; rev:2;
/usr/local/snort-eth0/bin/snort -u snort -g snort -i eth0 -d -D -o -c
/usr/local/snort-eth0/etc/snort.conf -l /var/log/snort/snort-eth0
Im unsure about the order that snort will process these riles, but
I moved the local.rules to the top of the list in the snort.conf.
Im using Version 1.8.7 (Build 128) of snort.
Anyone got any clues?
Senior Network Engineer
Comsquared Systems, Inc.
More information about the Snort-users