[Snort-users] Update to previous e-mail

Kaplan, Andrew H. AHKAPLAN at ...10063...
Mon Nov 3 13:11:15 EST 2003


Hi Matt --

I did include the -o option in the command syntax. FYI syntax as follows:
	/usr/local/bin/snort -i eth0 -c /etc/snort/snort.conf -o

The location of the policy-based.rules file is /etc/snort

Update: commenting out the first few lines, while significantly reducing the
amount of alerts
has not totally eliminated them. However, they appear at this point to be fewer
and far in
between for me to be able to managed them much more easily.


-----Original Message-----
From: Matt Kettler [mailto:mkettler at ...4108...]
Sent: Monday, November 03, 2003 4:03 PM
To: Kaplan, Andrew H.; 'snort-users at lists.sourceforge.net'
Subject: Re: [Snort-users] Update to previous e-mail


At 03:10 PM 11/3/2003, Kaplan, Andrew H. wrote:
>alert tcp any any -> [any,10.10.0.0/24] any

Um.. what's the purpose of that? It is functionally the same as:

alert tcp any any -> any any

And that's significantly more legible.

>While these lines were uncommented, I would get an enormous amount of alerts
>from the 10.10.0.0 subnet
>even though subsequent pass rules told snort to let pass any and all ip, tcp,
>and udp traffic on any port.

Did you pass the -o option to snort? If you don't pass -o then all alert 
rules will execute before all pass rules, without regard for what order 
they are placed in the file. Thus, in the default scenario, pass rules do 
absolutely nothing to prevent alerts.

There is ALWAYS a precedence relationship between types of rules in snort.. 
you can never use file locations to cause ordering of different kinds of 
rules.

Default is rule order is alert first, pass second, log third. If you use -o 
the order becomes pass, alert, log.  




More information about the Snort-users mailing list