[Snort-users] Pass Rule not working?
stevele at ...4444...
Wed Jul 24 10:31:02 EDT 2002
Don't think so. I have my daemon set up to run -o.
Been running the command /usr/local/bin/snort -u Snorter -o -U -d -D -c
/etc/snort/snort.conf -i eth1 -l /var/log/snort in /etc/rc.d/init.d/
I thought that was the problem too, but it doesn't solve anything for me.
And since it came in while I was typing this one:
In response to Shane: I know that *.*.*.* isn't a valid IP, I just didn't
see any particular reason to hand out the IP addresses of my servers. The
stars are supposed to represent an actual IP address, not a wildcard,
since the snort wildcard is indeed any. Thanks, though.
At 01:18 PM 7/24/2002 -0400, Matt Kettler wrote:
>Is this by chance the answer you need? (from the snort FAQ)
>4.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
>Q: Why does the program generate alerts on packets that have pass rules?
>A: The default order that the rules are applied in is alerts first, then
>pass rules, then log rules. This ordering ensures that you don't write 50
>great alert rules and then disable them all accidently with an errant pass
>rule. If you really want to change this order so that the pass rules are
>applied first, use the "-o" command line switch.
>At 10:48 AM 7/24/2002 -0600, Steve Lebeda wrote:
>>I've been getting alerts in ACID because of ICMP packets. The message is
>>ICMP Destination Unreachable (Communication Administratively Prohibited)
>>I know this particular issue has been addressed previously and I think I
>>understand why it's happening. The servers on my Home Net are trying to
>>ping to places that they aren't allowed to ping and the packets are being
>>returned by an intermediary device. Trying to be clever, I wrote a pass
>>rule in my local.rules file:
>>pass icmp any any -> *.*.*.* any (itype: 3; icode: 13)
>>I'm still getting errors.
>>What'd I do wrong?
>>This sf.net email is sponsored by:ThinkGeek
>>Welcome to geek heaven.
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>Snort-users list archive:
More information about the Snort-users