[Snort-users] VPN and UDP alerts

Slighter, Tim tslighter at ...5174...
Fri Apr 25 11:28:11 EDT 2003

if ya do this...don't forget to declare a value for $VPN-NET in snort.conf

var VPN-NET x.x.x.x

-----Original Message-----
From: Neil Dickey [mailto:neil at ...1633...]
Sent: Friday, April 25, 2003 11:51 AM
To: allan at ...8825...
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] VPN and UDP alerts

"Allan Dover" <allan at ...8825...> wrote asking:

>Is there a way to not alert or log UDP:500 as source ?  Would I make a rule
>to do this ?  I havent ventured into rule making as of yet.

A "pass" rule in 'local.rules' would probably do the trick.  Something
like ...

  pass udp $VPN-NET 500 <> $HOME_NET any

... would probably do it.  Then restart Snort, and make sure you're
using the '-o' rule on the command line.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois

This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list