[Snort-users] newbie pass rule question

Erek Adams erek at ...577...
Tue Jun 18 11:25:07 EDT 2002


On Tue, 18 Jun 2002, Eric Garnel wrote:

> I have snort up and running and have set up HOME_NET to the subnet
> that the external nic of the snort box sits on (our public subnet)
> and have set EXTERNAL_NET to any !$HOME_NET in snort.conf.

Ok.  So far so good.

> I am seeing local pings between some of my devices that I want to
> ignore.

Ahhhh...  I think I hear a FAQ coming on.....  :)

> Do I have to use a pass.rule with the -o flag?

To do what you want:  Yes.  See below.

> or can I just add them to the icmp.rules with the pass option instead of
> alert?

This will "work" but not in the way you expect.  Notice the line when snort
starts up that reads:

   Rule application order:  ->activation->dynamic->alert->pass->log

If you put a '-o' as a switch you get:

  Rule application order: ->pass->activation->dynamic->alert->log

Notice where the word 'pass' falls in the list on both....  If you don't use
"-o" snort will alert first, then pass.  If you add "-o" it will pass then
alert.  Be careful--You can shoot yourself in the foot with a poorly written
pass rule.

> Also, I am a little confused with the syntax: If I wanted to include
> hosts to ignore-portscans in the preprocessor portscan-ignorehosts is it
> 111.222.333.444/32 222.333.444.555/32... or [111.222.333.444/32
> 111.222.444.555/32...]
>
> I see examples of both on the web.

Ok, for the spp_portscan pre-processor:  You need to use a whitespace
delimited list, and not a comma seperated one.  (Long explanation posted to
snort-users a while back, check the archives or email me if you want the full
reasons.....)

> running snort 1.8.1

If you can--UPGRADE!!!  1.8.6 and 1.8.7b7 (almost non-beta now) have
_significant_ changes and bugfixes over the 1.8.1 release.

And if you're a newbie, check out the FAQ[0] and the online Docs[1].  Quite a
bit of handy info in there....

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


[0]	http://www.snort.org/docs/faq.html
[1]	http://www.snort.org/docs/writing_rules/





More information about the Snort-users mailing list