[Snort-users] Unable to get Pass rules to ignore some traffic.

David E. Gianndrea daveg at ...4357...
Thu Jul 18 07:31:07 EDT 2002


Well I don't know why it was not working, but after adding the /32 the pass
rules started working. There was more than one rule doing this, the
NETBIOS NT NULL session rule, and the Telnet rules were doing it as well.
The /32 appears to have fixed my problem for now!

Thanks ALL!

-- 
David Gianndrea
Senior Network Engineer
Comsquared Systems, Inc.


"Andrew R. Baker" wrote:
> 
> Moyer, Shawn wrote:
> > Actually, I'm wondering if it's b/c of the "msg:" field being left in the
> > rule, maybe it's still logging even if it's passing?
> 
> Having the "msg:" field specified for a log or pass rule will not affect
> how the rule functions.  It will just not get used for that particular rule.
> 
> > I have quite a few rules that don't have the slash notation on the end and
> > they work -- I'm guessing the default if CIDR is not defined is to append
> > /32.
> 
> You are correct, if there is not CIDR block specified, it defaults to /32.
> 
> Of course, knowing these things still does not explain why Snort is not
> properly applying the pass rule.
> 
> -A




More information about the Snort-users mailing list