[Snort-users] Update to previous e-mail
Kaplan, Andrew H.
AHKAPLAN at ...10063...
Mon Nov 3 13:11:15 EST 2003
Hi Matt --
I did include the -o option in the command syntax. FYI syntax as follows:
/usr/local/bin/snort -i eth0 -c /etc/snort/snort.conf -o
The location of the policy-based.rules file is /etc/snort
Update: commenting out the first few lines, while significantly reducing the
amount of alerts
has not totally eliminated them. However, they appear at this point to be fewer
and far in
between for me to be able to managed them much more easily.
From: Matt Kettler [mailto:mkettler at ...4108...]
Sent: Monday, November 03, 2003 4:03 PM
To: Kaplan, Andrew H.; 'snort-users at lists.sourceforge.net'
Subject: Re: [Snort-users] Update to previous e-mail
At 03:10 PM 11/3/2003, Kaplan, Andrew H. wrote:
>alert tcp any any -> [any,10.10.0.0/24] any
Um.. what's the purpose of that? It is functionally the same as:
alert tcp any any -> any any
And that's significantly more legible.
>While these lines were uncommented, I would get an enormous amount of alerts
>from the 10.10.0.0 subnet
>even though subsequent pass rules told snort to let pass any and all ip, tcp,
>and udp traffic on any port.
Did you pass the -o option to snort? If you don't pass -o then all alert
rules will execute before all pass rules, without regard for what order
they are placed in the file. Thus, in the default scenario, pass rules do
absolutely nothing to prevent alerts.
There is ALWAYS a precedence relationship between types of rules in snort..
you can never use file locations to cause ordering of different kinds of
Default is rule order is alert first, pass second, log third. If you use -o
the order becomes pass, alert, log.
More information about the Snort-users