[Snort-users] Same source/dest
erek at ...950...
Wed Apr 2 10:04:36 EST 2003
On Wed, 2 Apr 2003, Keg wrote:
> Sorry guys for the question but how do I write the pass rule?
Just like any other, except instead of 'alert' or 'log' the action is
'pass'. Have a look at this  for an example. You can also find more
info in the Snort Users manual.
> Should a create the file and name it as pass.rules or should I simply
> add the following to the local rules.?
> pass ip 10.13.110.254 53 -> 10.13.110.254 any
That's all up to you. Depends on how you like to organize things. :)
Since there's a blank local.rules in the default ruleset, I don't like to
use that filename. It stops me from just copying the rules/* over to
/etc/snort/rules/. I tend to use 'pass.rules' and 'my.rules' for pass and
You pick whatever way works for you. Just remember that you did it! :)
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users