[Snort-users] Pass rule not working...

-=Quequero=- quequero at ...8067...
Thu Jan 23 05:25:04 EST 2003


Hi all, i need some help please :((, i have some problems with a pass rule, 
here is
a snippet of my configuration:

snort.conf:
var HOME_NET [192.168.1.0/24,10.0.0.0/8]
var EXTERNAL_NET any

preprocessor portscan-ignorehosts: $HOME_NET

local.rules:
pass tcp $HOME_NET any -> $HOME_NET 8001
pass tcp $HOME_NET 8001 -> $HOME_NET any

snort of coz is running with -o option:
snort -o -AFull -D -u snort -i any -dev ...

that pass rule should ignore all traffic coming from (and going to) my 
$HOME_NET on
port 8001, but my logs are full of:

TCP src: 10.0.0.1 dst: 10.0.0.2 sport: 8001 dport: 1185 tgts: 1 ports: 25 
flags: ***AP*** event_id: 2841
TCP src: 10.0.0.1 dst: 10.0.0.2 sport: 8001 dport: 1184 tgts: 1 ports: 26 
flags: ***AP*** event_id: 2841
TCP src: 10.0.0.1 dst: 10.0.0.2 sport: 8001 dport: 1186 tgts: 1 ports: 27 
flags: ***AP*** event_id: 2841
TCP src: 10.0.0.1 dst: 10.0.0.2 sport: 8001 dport: 1239 tgts: 1 ports: 21 
flags: ***AP*** event_id: 0
TCP src: 10.0.0.1 dst: 10.0.0.2 sport: 8001 dport: 1240 tgts: 1 ports: 22 
flags: ***AP*** event_id: 3711

is there a way to avoid this?? thanx a lot to all :)))))))))))))


-=Quequero=-
SpP/Member www.spippolatori.com
UIC Founder www.quequero.tk
Linux Registered User #207978 





More information about the Snort-users mailing list