[Snort-users] Trouble with pass rule

Carl lists at ...9056...
Tue Apr 29 11:47:07 EDT 2003


Doh! |*^o^*|

Might be time to change my default font size...

Thanks, Neil.


On Tuesday April 29 2003 11:16, Neil Dickey wrote:
> Carl <lists at ...9056...> wrote below, asking:
>
> [ Why does my pass rule not work. ]
>
> The way you have your variables set the alert rule picks up traffic
> from any port, anywhere, to any port on your home net.  The source
> address of the alert is 10.27.13.211, which matches "anywhere," and
> the target address is 10.27.255.255, which matches "10.27.0.0/16".
>
> Your pass rule affects traffic moving between 10.47.0.0./16 and your
> home net -- note the second octet is "47", not "27" ( typo?).  That's
> why the pass rule isn't doing what you want.
>
> I hope this helps.
>
> Best regards,
>
> Neil Dickey, Ph.D.
> Research Associate/Sysop
> Geology Department
> Northern Illinois University
> DeKalb, Illinois
> 60115





More information about the Snort-users mailing list