[Snort-users] Pass Rule not working?

Steve Lebeda stevele at ...4444...
Wed Jul 24 10:31:02 EDT 2002


Don't think so. I have my daemon set up to run -o.

Been running the command /usr/local/bin/snort -u Snorter -o -U -d -D -c 
/etc/snort/snort.conf -i eth1 -l /var/log/snort in /etc/rc.d/init.d/

I thought that was the problem too, but it doesn't solve anything for me.

And since it came in while I was typing this one:

In response to Shane: I know that *.*.*.* isn't a valid IP, I just didn't 
see any particular reason to hand out the IP addresses of my servers. The 
stars are supposed to represent an actual  IP address, not a wildcard, 
since the snort wildcard is indeed any. Thanks, though.

Steve


At 01:18 PM 7/24/2002 -0400, Matt Kettler wrote:
>Is this by chance the answer you need? (from the snort FAQ)
>
>4.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
>
>Q: Why does the program generate alerts on packets that have pass rules? 
>A: The default order that the rules are applied in is alerts first, then 
>pass rules, then log rules. This ordering ensures that you don't write 50 
>great alert rules and then disable them all accidently with an errant pass 
>rule. If you really want to change this order so that the pass rules are 
>applied first, use the "-o" command line switch.
>
>
>At 10:48 AM 7/24/2002 -0600, Steve Lebeda wrote:
>>I've been getting alerts in ACID because of ICMP packets. The message is 
>>ICMP Destination Unreachable (Communication Administratively Prohibited)
>>I know this particular issue has been addressed previously and I think I 
>>understand why it's happening. The servers on my Home Net are trying to 
>>ping to places that they aren't allowed to ping and the packets are being 
>>returned by an intermediary device. Trying to be clever, I wrote a pass 
>>rule in my local.rules file:
>>
>>pass icmp any any -> *.*.*.* any (itype: 3; icode: 13)
>>
>>I'm still getting errors.
>>
>>What'd I do wrong?
>>
>>Steve
>>
>>
>>
>>-------------------------------------------------------
>>This sf.net email is sponsored by:ThinkGeek
>>Welcome to geek heaven.
>>http://thinkgeek.com/sf
>>_______________________________________________
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>Snort-users list archive:
>>http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list