[Snort-users] Question about negated and non-negated variables in rules
corinth at ...4741...
Mon Dec 1 07:14:02 EST 2003
Matt Kettler wrote:
> At 06:24 AM 11/29/2003, Jens-Harald Johansen wrote:
>> But if I understand you correctly, I need to create pass rules for the
>> hosts which are allowed to run the ICMP traffic ? Think I'll need to
>> RTFM concerning pass rules. Haven't used them before.
> pass rules are pretty straight forward, just make sure you pass the -o
> parameter to snort's command line.
> Also think your pass rules through carefully.. make sure you don't wind
> up with a rule that is the equivalent of "pass any any -> any any".
After reading a bit I ended up with a pass rule like below:
pass icmp $ICMP_WHITELIST any -> $HOME_NET any (dsize: >800; sid:499;)
I kept the sid in order to know what alert rule I'm letting pass.
Thanks for the help
More information about the Snort-users