[Snort-users] Rules Question

Jeff Dell jdell at ...1095...
Fri Feb 25 06:10:10 EST 2005


Check your rules order. By default it is alert -> pass -> log -> etc...

Try adding the flag -o to your command line options when starting snort.

Cheers,
Jeff 

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net 
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of 
> Roy Kidder
> Sent: Friday, February 25, 2005 8:26 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Rules Question
> 
> I'm trying to write what I expected to be a simple set rules, 
> but it's not
> working for me. They look like this:
> 
> pass udp any any <> 10.0.0.10 53
> pass udp any any <> 192.168.1.5 53
> alert udp any any <> any 53 (msg: "DNS Query";)
> 
> What I expected was to alert on any DNS queries except those 
> to 10.0.0.10 or
> to 192.168.1.5. Instead, I'm seeing alerts on everything 
> including those two
> hosts. 
> 
> Any pointers on what I did wrong?
> 
> Thanks in advance,
> Roy
> 
>  
> Roy Kidder
> Network Engineer
> Safelite Glass Corp.
> 
> 
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from 
> real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 






More information about the Snort-users mailing list