[Snort-users] Pass Rules Questions

Demetri Mouratis dmourati at ...3877...
Thu Jan 30 11:23:10 EST 2003


Hello,

I've got a problem with some pass rules that don't seem to be passing.

Snort is v1.9.0, I'm running it on a stealth interface (eth1) connected to
a monitoring port on my switch.

I'd like snort to ignore traffic to and from port 25.  Here
are the two rules I've added to local.rules to accomplish this:

pass tcp $HOME_NET 1025:65535 <> any 25
pass tcp $HOME_NET 25 <> any 1025:65535

HOME_NET is defined in snort.conf:

var HOME_NET [aaa.bbb.ccc.ddd/24,eee.fff.ggg.hhh/26,iii.jjj.kkk.lll/28]

Snort is invoked thusly:

/usr/local/bin/snort-b -d -D -o -i eth1 -c /etc/snort/snort.conf

Looking through my ACID logs:

(spp_portscan2) Portscan detected from www.xxx.yyy.zzz:
1 targets 21 ports in 58 seconds


2003-01-30 13:02:34-06

SRC: www.xxx.yyy.zzz:25

DST aaa.bbb.ccc.ddd:34722

PROTO: TCP

Additionally, in snort.conf, I've defined:

var IGNORE_PORTSCAN $HOME_NET
preprocessor portscan2-ignorehosts: $IGNORE_PORTSCAN

Any guidance greatly appreciated.

Thanks.
---------------------------------------------------------------------
Demetri Mouratis
dmourati at ...3878...





More information about the Snort-users mailing list