[Snort-users] Problem with the -o option

Kaplan, Andrew H. AHKAPLAN at ...10063...
Fri Nov 5 14:04:02 EST 2004


Matt --

I believe I found the problem: I did a check of the policy-based rules file
located in the rules folder. I had 
a hunch the file was really a symbolic link. As it turned out, it was a symbolic
link pointing to an obsolescent
file. I recreated the link to the 'real' policy-based rules file and after that
the amount of alerts dramatically
dropped off. Thanks for yours and everyone's help.

-----Original Message-----
From: Matt Kettler [mailto:mkettler at ...4108...]
Sent: Friday, November 05, 2004 3:37 PM
To: Kaplan, Andrew H.; Snort User Group (E-mail)
Subject: Re: [Snort-users] Problem with the -o option


At 10:50 AM 11/5/2004, Kaplan, Andrew H. wrote:
>2. The pass rules all have the <> operand between every instance of the source
>and destination. Is there anything else I need to do within
>the file?

Can you post an example of what your pass rules look like?

they should be of the format:

         pass ip host1/32 any <> host2/32 any

or
         pass ip net1/cidrmask1 any <> net2/cidrmask2 any

(of course, you can make the pass rule more restrictive, by specifying 
source/dest ports and a protocol other than IP (ie: tcp))

pass host1 <> host2 isn't valid, as far as I know.

The last example sounds like what you're trying to describe, but I'm not 
sure exactly what your pass rules look like based on your vague description.




More information about the Snort-users mailing list