[Snort-users] Update to previous e-mail

Kaplan, Andrew H. AHKAPLAN at ...10063...
Mon Nov 3 12:11:08 EST 2003


When writing the policy-based.rules file I had as my first lines several lines
that read as follows:

alert ip any any -> [any,10..10.0.0/24] any
alert tcp any any -> [any,10.10.0.0/24] any
alert udp any any -> [any,10.10.0.0/24] any

While these lines were uncommented, I would get an enormous amount of alerts
from the 10.10.0.0 subnet
even though subsequent pass rules told snort to let pass any and all ip, tcp,
and udp traffic on any port.
Once I commented out the lines, the alerts dropped down to 0.

Do I need any alert rules at the beginning of the policy-based.rules file to
specify what subnets, in this case
any subnet excluding the 10.10.0.0 subnet, snort should alert me on? If so, what
is the correct syntax?




More information about the Snort-users mailing list