[Snort-users] pass rule

Gosswiler Bjoern Bjoern.Gosswiler at ...8185...
Fri Apr 25 02:36:06 EDT 2003

hi all

I just get confused with my pass rules!!!!!

I don’t want get portscan traffic from $HOME_NET to DMZ Proxy Server on
port 8080

spp_portscan2) Portscan detected from 2 targets 21 ports
in 18 seconds        TCP  
to keep out this entry I wrote a pass rule:
pass tcp $HOME_NET -> 8080

Also this portscan traffic:
spp_portscan2) Portscan detected from 6 targets 34 ports
in 61 seconds       
pass tcp $HOME_NET -> 445

I put all my pass rules in the file local.rules
start snort with -o

-> I don’t want portscan-ignorehost e.g ( define cus I
think then are all ports to this IP ignored!?..

Do I understand something wrong ?? 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4272 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030425/70215272/attachment.bin>

More information about the Snort-users mailing list