[Snort-users] Pass Rule not working?
mkettler at ...4108...
Wed Jul 24 10:19:04 EDT 2002
Is this by chance the answer you need? (from the snort FAQ)
4.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why does the program generate alerts on packets that have pass rules? A:
The default order that the rules are applied in is alerts first, then pass
rules, then log rules. This ordering ensures that you don't write 50 great
alert rules and then disable them all accidently with an errant pass rule.
If you really want to change this order so that the pass rules are applied
first, use the "-o" command line switch.
At 10:48 AM 7/24/2002 -0600, Steve Lebeda wrote:
>I've been getting alerts in ACID because of ICMP packets. The message is
>ICMP Destination Unreachable (Communication Administratively Prohibited)
>I know this particular issue has been addressed previously and I think I
>understand why it's happening. The servers on my Home Net are trying to
>ping to places that they aren't allowed to ping and the packets are being
>returned by an intermediary device. Trying to be clever, I wrote a pass
>rule in my local.rules file:
>pass icmp any any -> *.*.*.* any (itype: 3; icode: 13)
>I'm still getting errors.
>What'd I do wrong?
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
More information about the Snort-users