[Snort-users] Same source/dest

Erek Adams erek at ...950...
Wed Apr 2 10:04:36 EST 2003


On Wed, 2 Apr 2003, Keg wrote:

> Sorry guys for the question but how do I write the pass rule?

Just like any other, except instead of 'alert' or 'log' the action is
'pass'.  Have a look at this [0] for an example.  You can also find more
info in the Snort Users manual.

> Should a create the file and name it as pass.rules or should I simply
> add the following to the local rules.?
>
> pass ip 10.13.110.254 53 -> 10.13.110.254 any

That's all up to you.  Depends on how you like to organize things.  :)
Since there's a blank local.rules in the default ruleset, I don't like to
use that filename.  It stops me from just copying the rules/* over to
/etc/snort/rules/.  I tend to use 'pass.rules' and 'my.rules' for pass and
local stuff.

You pick whatever way works for you.  Just remember that you did it! :)

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]	http://www.theadamsfamily.net/~erek/snort/ignore.txt




More information about the Snort-users mailing list