[Snort-users] Problem with the -o option
Kaplan, Andrew H.
AHKAPLAN at ...10063...
Fri Nov 5 14:04:02 EST 2004
I believe I found the problem: I did a check of the policy-based rules file
located in the rules folder. I had
a hunch the file was really a symbolic link. As it turned out, it was a symbolic
link pointing to an obsolescent
file. I recreated the link to the 'real' policy-based rules file and after that
the amount of alerts dramatically
dropped off. Thanks for yours and everyone's help.
From: Matt Kettler [mailto:mkettler at ...4108...]
Sent: Friday, November 05, 2004 3:37 PM
To: Kaplan, Andrew H.; Snort User Group (E-mail)
Subject: Re: [Snort-users] Problem with the -o option
At 10:50 AM 11/5/2004, Kaplan, Andrew H. wrote:
>2. The pass rules all have the <> operand between every instance of the source
>and destination. Is there anything else I need to do within
Can you post an example of what your pass rules look like?
they should be of the format:
pass ip host1/32 any <> host2/32 any
pass ip net1/cidrmask1 any <> net2/cidrmask2 any
(of course, you can make the pass rule more restrictive, by specifying
source/dest ports and a protocol other than IP (ie: tcp))
pass host1 <> host2 isn't valid, as far as I know.
The last example sounds like what you're trying to describe, but I'm not
sure exactly what your pass rules look like based on your vague description.
More information about the Snort-users