[Snort-users] Pass rule not working...

Erek Adams erek at ...950...
Thu Jan 23 06:19:06 EST 2003

On Thu, 23 Jan 2003, -=Quequero=- wrote:

> Hi all, i need some help please :((, i have some problems with a pass rule,
> here is a snippet of my configuration:
> snort.conf:
> var HOME_NET [,]
> var EXTERNAL_NET any


> preprocessor portscan-ignorehosts: $HOME_NET
> local.rules:
> pass tcp $HOME_NET any -> $HOME_NET 8001
> pass tcp $HOME_NET 8001 -> $HOME_NET any


That works for me, and should work for you.  If it doen't (the alerts are
coming from spp_portscan(2) then you might have to use a BPF filter.

snort <usual options> "not host <foo> and port 8001"


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

