[Snort-users] re: Pass Rule question

Erek Adams erek at ...950...
Fri Jun 13 02:59:07 EDT 2003

On Wed, 11 Jun 2003 lindsay.hunt at ...9446... wrote:

> I have a question regarding the use of pass rules. I am running snort with
> the "-o" option and want to ignore specific snmp traffic; specifically,
> snmp requests from a particular ip address destined for 2 separate
> addresses.
> I created a file called pass.rules and placed it in the rules directory. It
> has the following syntax:
>      pass udp x.x.x.x any -> udp [y.y.y.y , z.z.z.z ] 161
> x.x.x.x corresponds to the source address and y and z to the destination
> addresses.
> Is the syntax correct? The traffic that I want to ignore is still showing
> up as alerts.  Thanks in advance for any help.

It could be one of two things:

	*  Make it into two different rules.  Maybe you have something
with the IP list messed up.
	*  Grab the nightly CVS tarball [0] and try that.  There was a
commit made earlier this week that made some changes with the pass rules.

I'm guessing it's the second one.


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

[0]	http://www.snort.org/dl/snapshots/snort-current.tar.gz

More information about the Snort-users mailing list