[Snort-users] Unable to get Pass rules to ignore some traffic.

David E. Gianndrea daveg at ...4357...
Wed Jul 17 14:05:02 EDT 2002


Im having an issue where im trying to keep down my false alerts for valid
traffic between hosts by using pass rules. As an example...

var HOME_NET 1.61.0.0/16
var EXTERNAL_NET !$HOME_NET
var BRANCH_NETS [1.182.0.0/16,1.62.0.0/16,1.69.0.0/16]

pass udp $BRANCH_NETS any -> x.x.0.2 162 (msg:"SNMP trap udp";
reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013;  sid:1419; rev:2;
classtype:attempted-recon;)


/usr/local/snort-eth0/bin/snort -u snort -g snort -i eth0 -d -D -o -c
/usr/local/snort-eth0/etc/snort.conf -l /var/log/snort/snort-eth0

Im unsure about the order that snort will process these riles, but
I moved the local.rules to the top of the list in the snort.conf.

Im using Version 1.8.7 (Build 128) of snort.

Anyone got any clues?

-- 
David Gianndrea
Senior Network Engineer
Comsquared Systems, Inc.




More information about the Snort-users mailing list