[Snort-users] Setting Up Policy-Based.rules file
Kaplan, Andrew H.
AHKAPLAN at ...10063...
Mon Nov 3 08:03:19 EST 2003
I am setting up a policy-based rules file to have Snort monitor traffic
coming from the Internet, while allowing
network traffic from the internal network to pass without incident. I want
to provide a blanket pass statement
for the internal network, and I want to verify several things:
1. I don't want, initally, to monitor any traffic going from the 10.1.0.0
network to any TCP/IP port on the server
220.127.116.11. Therefore would the following statements work?
pass ip 10.1.0.0/24 any -> 18.104.22.168 0:65534
pass tcp 10.1.0.0/24 any -> 22.214.171.124 0:65534
pass udp 10.1.0.0/24 any -> 126.96.36.199 0:65534
2. If I want, at a later date, to monitor particular port traffic, do I add
the ports I want to monitor AFTER the
blanket range shown in item 1, or do I add them BEFORE it?
More information about the Snort-users