[Snort-users] Snort pass rules failing

Jerry Shenk jshenk at ...514...
Thu May 13 18:03:04 EDT 2004


Yes, I did.  I also tried it from the command-line just to make sure I
didn't have something messed up in my init script.  It's the craziest
thing...the pass rules are very simple.  Here's one of them:

var WEB_PROXY x.x.x.x
pass tcp $HOME_NET any -> $WEB_PROXY 8080 (msg:"SCAN Proxy Port 8080
attempt - proxy"; stateless; flags:S,12; classtype:attempted-recon;
sid:620; rev:6;)

In this case, there's only one ip address in the variable but I think
the use of variables makes it a little cleaner.

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Matt
Kettler
Sent: Thursday, May 13, 2004 8:13 PM
To: Jerry Shenk; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort pass rules failing


At 07:19 PM 5/13/2004, Jerry Shenk wrote:
>I'm trying to get a new IDS box set up.  I'm trying to set up a few
>specific pass rules for a box that does monitoring (ICMP and SNMP) and
a
>router (ICMP redirects) and a web proxy server.  None of them seem to
be
>taking.  I'm running version 2.1.1 (Build 25)

did you start snort with the -o parameter?




-------------------------------------------------------
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list