[Snort-users] VPN and UDP alerts

Neil Dickey neil at ...1633...
Fri Apr 25 10:51:38 EDT 2003


"Allan Dover" <allan at ...8825...> wrote asking:

>Is there a way to not alert or log UDP:500 as source ?  Would I make a rule
>to do this ?  I havent ventured into rule making as of yet.

A "pass" rule in 'local.rules' would probably do the trick.  Something
like ...

  pass udp $VPN-NET 500 <> $HOME_NET any

... would probably do it.  Then restart Snort, and make sure you're
using the '-o' rule on the command line.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115






More information about the Snort-users mailing list