[Snort-users] Unable to get Pass rules to ignore some traffic .

Andrew R. Baker andrewb at ...1935...
Thu Jul 18 05:17:16 EDT 2002


Moyer, Shawn wrote:
> Actually, I'm wondering if it's b/c of the "msg:" field being left in the
> rule, maybe it's still logging even if it's passing? 

Having the "msg:" field specified for a log or pass rule will not affect 
how the rule functions.  It will just not get used for that particular rule.

> I have quite a few rules that don't have the slash notation on the end and
> they work -- I'm guessing the default if CIDR is not defined is to append
> /32.

You are correct, if there is not CIDR block specified, it defaults to /32.


Of course, knowing these things still does not explain why Snort is not 
properly applying the pass rule.

-A





More information about the Snort-users mailing list