[Snort-users] Pass Rule not working?

Matt Kettler mkettler at ...4108...
Wed Jul 24 10:19:04 EDT 2002


Is this by chance the answer you need? (from the snort FAQ)

4.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Why does the program generate alerts on packets that have pass rules? A: 
The default order that the rules are applied in is alerts first, then pass 
rules, then log rules. This ordering ensures that you don't write 50 great 
alert rules and then disable them all accidently with an errant pass rule. 
If you really want to change this order so that the pass rules are applied 
first, use the "-o" command line switch.


At 10:48 AM 7/24/2002 -0600, Steve Lebeda wrote:
>I've been getting alerts in ACID because of ICMP packets. The message is 
>ICMP Destination Unreachable (Communication Administratively Prohibited)
>I know this particular issue has been addressed previously and I think I 
>understand why it's happening. The servers on my Home Net are trying to 
>ping to places that they aren't allowed to ping and the packets are being 
>returned by an intermediary device. Trying to be clever, I wrote a pass 
>rule in my local.rules file:
>
>pass icmp any any -> *.*.*.* any (itype: 3; icode: 13)
>
>I'm still getting errors.
>
>What'd I do wrong?
>
>Steve
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list