[Snort-users] pass rule

Gosswiler Bjoern Bjoern.Gosswiler at ...8185...
Fri Apr 25 02:36:06 EDT 2003


hi all

I just get confused with my pass rules!!!!!

I don’t want get portscan traffic from $HOME_NET to DMZ Proxy Server on
port 8080

-------------------------------------------
spp_portscan2) Portscan detected from 212.8.128.120: 2 targets 21 ports
in 18 seconds
212.8.128.120:8080        192.168.192.226:2001        TCP  
----------------------------------------------
to keep out this entry I wrote a pass rule:
pass tcp $HOME_NET -> 212.8.128.120 8080


Also this portscan traffic:
--------------------------------------------------------
spp_portscan2) Portscan detected from 212.8.128.114: 6 targets 34 ports
in 61 seconds
212.8.128.114:445        192.168.192.162:1399       
---------------------------------------------------------
pass tcp $HOME_NET -> 212.8.128.114/32 445


I put all my pass rules in the file local.rules
start snort with -o

-> I don’t want portscan-ignorehost e.g (212.8.128.120) define cus I
think then are all ports to this IP ignored!?..

Do I understand something wrong ?? 

Björn

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4272 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030425/70215272/attachment.bin>


More information about the Snort-users mailing list