[Snort-users] A little pass rule help

L. Christopher Luther CLuther at ...6333...
Tue Apr 15 19:41:03 EDT 2003


Read up on the "writing rules" Snort docs [0] -- Snort is rather specific in
its format for rule writing.  

Christopher

[0] http://www.snort.org/docs/writing_rules/


-----Original Message-----
From: Keg [mailto:snrtlst at ...2792...]
Sent: Tuesday, April 15, 2003 8:17 AM
To: L. Christopher Luther
Cc: Snort-Users (E-mail)
Subject: Re: [Snort-users] A little pass rule help


Would it be possible to use 'pass is <address> any -> <address> 
<PROTOCOL>' ?
I would like not to log traffic originated from specific host only on 
specific protocol....
Thanks you.

L. Christopher Luther wrote:

> 10.0.0.0 is not a valid host IP -- it's a network address.  So if you 
> want to have the 10.0.0.0 network be the destination of the pass rule, 
> then the rule should look something like: 
>
>         pass ip 10.0.30.4 any -> 10.0.0.0/8 any
>
> The second rule should also include a port designator: 
>
>         pass ip 10.0.20.6 any -> any any
>
> See if this helps. 
>
> - Christopher
>
>
> -----Original Message-----
> From: Keg [mailto:snrtlst at ...2792...]
> Sent: Monday, April 14, 2003 5:14 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] A little pass rule help
>
>
> I have 2 pass rules that I placed in local.rules: (snort started with -o)
> pass ip 10.0.30.4 any -> 10.0.0.0 any
> pass ip 10.0.20.6 any -> any
> First should take care of cluster servers broadcasts, second takes care
> of weird ICMP redirects from Shiva device. Snort cannot be started and
> it complains about those pass rules, the moment I disable 'em snort is
> started and it works fine.
> Is there a syntax problem with those pass rules?
> Thanks.
> -- 
> Your favorite stores, helpful shopping tools and great gift ideas.
> Experience the convenience of buying online with Shop at ...2793...!
> http://shopnow.netscape.com/
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

-- 
Your favorite stores, helpful shopping tools and great gift ideas. 
Experience the convenience of buying online with Shop at ...2793...! 
http://shopnow.netscape.com/




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030415/613ecb40/attachment.html>


More information about the Snort-users mailing list