[Snort-users] Unable to get Pass rules to ignore some traffic.

David E. Gianndrea daveg at ...4357...
Wed Jul 17 14:05:02 EDT 2002

Im having an issue where im trying to keep down my false alerts for valid
traffic between hosts by using pass rules. As an example...

var BRANCH_NETS [,,]

pass udp $BRANCH_NETS any -> x.x.0.2 162 (msg:"SNMP trap udp";
reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013;  sid:1419; rev:2;

/usr/local/snort-eth0/bin/snort -u snort -g snort -i eth0 -d -D -o -c
/usr/local/snort-eth0/etc/snort.conf -l /var/log/snort/snort-eth0

Im unsure about the order that snort will process these riles, but
I moved the local.rules to the top of the list in the snort.conf.

Im using Version 1.8.7 (Build 128) of snort.

Anyone got any clues?

David Gianndrea
Senior Network Engineer
Comsquared Systems, Inc.

More information about the Snort-users mailing list