[Snort-users] Pass Rule not working?

Steve Lebeda stevele at ...4444...
Wed Jul 24 10:31:02 EDT 2002

Don't think so. I have my daemon set up to run -o.

Been running the command /usr/local/bin/snort -u Snorter -o -U -d -D -c 
/etc/snort/snort.conf -i eth1 -l /var/log/snort in /etc/rc.d/init.d/

I thought that was the problem too, but it doesn't solve anything for me.

And since it came in while I was typing this one:

In response to Shane: I know that *.*.*.* isn't a valid IP, I just didn't 
see any particular reason to hand out the IP addresses of my servers. The 
stars are supposed to represent an actual  IP address, not a wildcard, 
since the snort wildcard is indeed any. Thanks, though.


At 01:18 PM 7/24/2002 -0400, Matt Kettler wrote:
>Is this by chance the answer you need? (from the snort FAQ)
>4.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
>Q: Why does the program generate alerts on packets that have pass rules? 
>A: The default order that the rules are applied in is alerts first, then 
>pass rules, then log rules. This ordering ensures that you don't write 50 
>great alert rules and then disable them all accidently with an errant pass 
>rule. If you really want to change this order so that the pass rules are 
>applied first, use the "-o" command line switch.
>At 10:48 AM 7/24/2002 -0600, Steve Lebeda wrote:
>>I've been getting alerts in ACID because of ICMP packets. The message is 
>>ICMP Destination Unreachable (Communication Administratively Prohibited)
>>I know this particular issue has been addressed previously and I think I 
>>understand why it's happening. The servers on my Home Net are trying to 
>>ping to places that they aren't allowed to ping and the packets are being 
>>returned by an intermediary device. Trying to be clever, I wrote a pass 
>>rule in my local.rules file:
>>pass icmp any any -> *.*.*.* any (itype: 3; icode: 13)
>>I'm still getting errors.
>>What'd I do wrong?
>>This sf.net email is sponsored by:ThinkGeek
>>Welcome to geek heaven.
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>Snort-users list archive:

More information about the Snort-users mailing list