[Snort-users] newbie pass rule question

Eric Garnel egarnel3470 at ...131...
Tue Jun 18 07:48:05 EDT 2002


I have snort up and running and have set up HOME_NET to the subnet
that the external nic of the snort box sits on (our public subnet)
and have set EXTERNAL_NET to any !$HOME_NET in snort.conf.
I am seeing local pings between some of my devices that I want to
ignore.
Do I have to use a pass.rule with the -o flag? or can I just add them
to the icmp.rules with the pass option instead of alert?
Also, I am a little confused with the syntax:
If I wanted to include hosts to ignore-portscans in the preprocessor
portscan-ignorehosts is it 111.222.333.444/32 222.333.444.555/32...
or [111.222.333.444/32 111.222.444.555/32...]

I see examples of both on the web.
running snort 1.8.1

Thanks

__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com




More information about the Snort-users mailing list