[Snort-users] newbie pass rule question
erek at ...577...
Tue Jun 18 11:25:07 EDT 2002
On Tue, 18 Jun 2002, Eric Garnel wrote:
> I have snort up and running and have set up HOME_NET to the subnet
> that the external nic of the snort box sits on (our public subnet)
> and have set EXTERNAL_NET to any !$HOME_NET in snort.conf.
Ok. So far so good.
> I am seeing local pings between some of my devices that I want to
Ahhhh... I think I hear a FAQ coming on..... :)
> Do I have to use a pass.rule with the -o flag?
To do what you want: Yes. See below.
> or can I just add them to the icmp.rules with the pass option instead of
This will "work" but not in the way you expect. Notice the line when snort
starts up that reads:
Rule application order: ->activation->dynamic->alert->pass->log
If you put a '-o' as a switch you get:
Rule application order: ->pass->activation->dynamic->alert->log
Notice where the word 'pass' falls in the list on both.... If you don't use
"-o" snort will alert first, then pass. If you add "-o" it will pass then
alert. Be careful--You can shoot yourself in the foot with a poorly written
> Also, I am a little confused with the syntax: If I wanted to include
> hosts to ignore-portscans in the preprocessor portscan-ignorehosts is it
> 111.222.333.444/32 222.333.444.555/32... or [111.222.333.444/32
> I see examples of both on the web.
Ok, for the spp_portscan pre-processor: You need to use a whitespace
delimited list, and not a comma seperated one. (Long explanation posted to
snort-users a while back, check the archives or email me if you want the full
> running snort 1.8.1
If you can--UPGRADE!!! 1.8.6 and 1.8.7b7 (almost non-beta now) have
_significant_ changes and bugfixes over the 1.8.1 release.
And if you're a newbie, check out the FAQ and the online Docs. Quite a
bit of handy info in there....
More information about the Snort-users