[Snort-users] A little pass rule help
snrtlst at ...2792...
Tue Apr 15 05:19:05 EDT 2003
Would it be possible to use 'pass is <address> any -> <address>
I would like not to log traffic originated from specific host only on
L. Christopher Luther wrote:
> 10.0.0.0 is not a valid host IP -- it's a network address. So if you
> want to have the 10.0.0.0 network be the destination of the pass rule,
> then the rule should look something like:
> pass ip 10.0.30.4 any -> 10.0.0.0/8 any
> The second rule should also include a port designator:
> pass ip 10.0.20.6 any -> any any
> See if this helps.
> - Christopher
> -----Original Message-----
> From: Keg [mailto:snrtlst at ...2792...]
> Sent: Monday, April 14, 2003 5:14 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] A little pass rule help
> I have 2 pass rules that I placed in local.rules: (snort started with -o)
> pass ip 10.0.30.4 any -> 10.0.0.0 any
> pass ip 10.0.20.6 any -> any
> First should take care of cluster servers broadcasts, second takes care
> of weird ICMP redirects from Shiva device. Snort cannot be started and
> it complains about those pass rules, the moment I disable 'em snort is
> started and it works fine.
> Is there a syntax problem with those pass rules?
> Your favorite stores, helpful shopping tools and great gift ideas.
> Experience the convenience of buying online with Shop at ...2793...!
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Your favorite stores, helpful shopping tools and great gift ideas.
Experience the convenience of buying online with Shop at ...2793...!
More information about the Snort-users