[Snort-users] Unable to get Pass rules to ignore some traffic .

Moyer, Shawn SMoyer at ...5894...
Thu Jul 18 01:18:02 EDT 2002


Actually, I'm wondering if it's b/c of the "msg:" field being left in the
rule, maybe it's still logging even if it's passing? 

I have quite a few rules that don't have the slash notation on the end and
they work -- I'm guessing the default if CIDR is not defined is to append
/32.


--shawn



> -----Original Message-----
> From: McCammon, Keith [mailto:Keith.McCammon at ...3497...]
> Sent: Wednesday, July 17, 2002 16:24
> To: daveg at ...4357...; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Unable to get Pass rules to ignore some
> traffic.
> 
> 
> > pass udp $BRANCH_NETS any -> x.x.0.2 162 (msg:"SNMP trap udp";
> > reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013;  
> > sid:1419; rev:2;
> > classtype:attempted-recon;)
> 
> You're missing the CIDR designation on the destination 
> address.  Should be x.x.0.2/32.
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list