[Snort-users] Unable to get Pass rules to ignore some traffic .
Andrew R. Baker
andrewb at ...1935...
Thu Jul 18 05:17:16 EDT 2002
Moyer, Shawn wrote:
> Actually, I'm wondering if it's b/c of the "msg:" field being left in the
> rule, maybe it's still logging even if it's passing?
Having the "msg:" field specified for a log or pass rule will not affect
how the rule functions. It will just not get used for that particular rule.
> I have quite a few rules that don't have the slash notation on the end and
> they work -- I'm guessing the default if CIDR is not defined is to append
You are correct, if there is not CIDR block specified, it defaults to /32.
Of course, knowing these things still does not explain why Snort is not
properly applying the pass rule.
More information about the Snort-users