[Snort-users] Pass rule not working...
erek at ...950...
Thu Jan 23 06:19:06 EST 2003
On Thu, 23 Jan 2003, -=Quequero=- wrote:
> Hi all, i need some help please :((, i have some problems with a pass rule,
> here is a snippet of my configuration:
> var HOME_NET [192.168.1.0/24,10.0.0.0/8]
> var EXTERNAL_NET any
Change EXTERNAL_NET to !$HOME_NET.
> preprocessor portscan-ignorehosts: $HOME_NET
> pass tcp $HOME_NET any -> $HOME_NET 8001
> pass tcp $HOME_NET 8001 -> $HOME_NET any
That works for me, and should work for you. If it doen't (the alerts are
coming from spp_portscan(2) then you might have to use a BPF filter.
snort <usual options> "not host <foo> and port 8001"
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users