[Snort-users] Pass rule not working...

Matt Kettler mkettler at ...4108...
Thu Jan 23 10:52:08 EST 2003


Actually, *does* that work for you Erek?

I seemed to have to use:
preprocessor portscan2-ignorehosts: $HOME_NET

instead of:
preprocessor portscan-ignorehosts: $HOME_NET

when using portscan2, and that output looks pretty portscan2-ish to me.

But you are right, if that's output from a preprocessor like portscan2, I 
don't think pass rules will change anything. BPF is the way to go for that, 
or use the portscan2-ignorehosts bit. Or heck, just turn off portscan2 
entirely (preferably replacing it with something else that works better 
like spade).



At 09:08 AM 1/23/2003 -0500, Erek Adams wrote:
> > preprocessor portscan-ignorehosts: $HOME_NET
> >
> > local.rules:
> > pass tcp $HOME_NET any -> $HOME_NET 8001
> > pass tcp $HOME_NET 8001 -> $HOME_NET any
>
>[...snip...]
>
>That works for me, and should work for you.  If it doen't (the alerts are
>coming from spp_portscan(2) then you might have to use a BPF filter.
>
>snort <usual options> "not host <foo> and port 8001"





More information about the Snort-users mailing list