[Snort-users] Pass rule not working...

Erek Adams erek at ...950...
Thu Jan 23 06:19:06 EST 2003


On Thu, 23 Jan 2003, -=Quequero=- wrote:

> Hi all, i need some help please :((, i have some problems with a pass rule,
> here is a snippet of my configuration:
>
> snort.conf:
> var HOME_NET [192.168.1.0/24,10.0.0.0/8]
> var EXTERNAL_NET any

Change EXTERNAL_NET to !$HOME_NET.

> preprocessor portscan-ignorehosts: $HOME_NET
>
> local.rules:
> pass tcp $HOME_NET any -> $HOME_NET 8001
> pass tcp $HOME_NET 8001 -> $HOME_NET any

[...snip...]

That works for me, and should work for you.  If it doen't (the alerts are
coming from spp_portscan(2) then you might have to use a BPF filter.

snort <usual options> "not host <foo> and port 8001"

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list