[Snort-users] re: Pass Rule question

Erek Adams erek at ...950...
Fri Jun 13 02:59:07 EDT 2003


On Wed, 11 Jun 2003 lindsay.hunt at ...9446... wrote:

> I have a question regarding the use of pass rules. I am running snort with
> the "-o" option and want to ignore specific snmp traffic; specifically,
> snmp requests from a particular ip address destined for 2 separate
> addresses.
>
> I created a file called pass.rules and placed it in the rules directory. It
> has the following syntax:
>
>      pass udp x.x.x.x any -> udp [y.y.y.y , z.z.z.z ] 161
>
>
> x.x.x.x corresponds to the source address and y and z to the destination
> addresses.
>
> Is the syntax correct? The traffic that I want to ignore is still showing
> up as alerts.  Thanks in advance for any help.

It could be one of two things:

	*  Make it into two different rules.  Maybe you have something
with the IP list messed up.
	*  Grab the nightly CVS tarball [0] and try that.  There was a
commit made earlier this week that made some changes with the pass rules.

I'm guessing it's the second one.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

[0]	http://www.snort.org/dl/snapshots/snort-current.tar.gz




More information about the Snort-users mailing list