[Snort-users] Question about negated and non-negated variables in rules

J-H. Johansen corinth at ...4741...
Mon Dec 1 07:14:02 EST 2003


Matt Kettler wrote:

> At 06:24 AM 11/29/2003, Jens-Harald Johansen wrote:
> 
>> But if I understand you correctly, I need to create pass rules for the 
>> hosts which are allowed to run the ICMP traffic ? Think I'll need to 
>> RTFM concerning pass rules. Haven't used them before.
> 
> 
> pass rules are pretty straight forward, just make sure you pass the -o 
> parameter to snort's command line.
> 
> Also think your pass rules through carefully.. make sure you don't wind 
> up with a rule that is the equivalent of "pass any any -> any any".
> 

After reading a bit I ended up with a pass rule like below:

pass icmp $ICMP_WHITELIST any -> $HOME_NET any (dsize: >800; sid:499;)


I kept the sid in order to know what alert rule I'm letting pass.

Thanks for the help

jens:H




More information about the Snort-users mailing list