[Snort-users] Pass rule not working

Matt Kettler mkettler at ...4108...
Thu Sep 5 18:09:03 EDT 2002


did you add -o to your snort command line?

by default, for your protection against accidentally passing stuff you 
didn't really mean to, pass rules are applied *after* alerts. -o will 
re-order it to do pass rules first.


At 05:22 PM 9/5/2002 -0700, Tony Wong wrote:
>I have the following pass rules in
>
>Shellcode.rules
>
>pass tcp mysubnet/21 any -> mysubnet/21 $SHELLCODE_PORTS (msg:"SHELLCODE
>x86 setuid 0"; content: "|b017 cd80|"; reference:arachnids,436;
>classtype:system-call-det......
>
>pass tcp mysubnet/21 any -> mysubnet/21 $SHELLCODE_PORTS (msg:"SHELLCODE
>x86 NOOP"; content: "|90 90 90 90 90 90 90 90 90 90 90 90 90 90|";
>depth: 128; reference:$..........
>
>pass tcp 171.64.184.0/21 any -> mysubnet/21 $SHELLCODE_PORTS
>(msg:"SHELLCODE x86 NOOP"; content: "|61 61 61 61 61 61 61 61 61 61 61
>61 61 61 61 61 61 61 61 61 61|"; c$............
>
>
>But I am still getting these SHELLCODE x86 alerts in ACID.
>
>Any ideas?
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by: OSDN - Tired of that same old
>cell phone?  Get a new here for FREE!
>https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list