[Snort-users] Re: pass rule not working

Bill Essig billessig at ...11827...
Sat Feb 11 23:09:12 EST 2006


PS: Yes, I used the -o on the command line, but also had a ! in front of the
IP.

Nevermind, drink up!

~William

On 2/11/06, Bill Essig <billessig at ...11827...> wrote:
>
> Yes, I read the FAQ. I hope none of you have to drink too much after my
> question.
> I have the following in my snort.conf file:
>
> --
> pass tcp 192.168.1.100 any -> 192.168.1.99 80
> --
>
> So, I just decide to ask for /usr/bin/cc in my URL:
> http://192.168.1.99/index.php?arg=/usr/bin/cc
> I thought due to my rule, this would not be logged or alerted. (fast
> alerts) So I cat my alert log, and get:
>
> --
> 02/11-22:53:13.287208  [**] [1:1343:5] WEB-ATTACKS /usr/bin/cc command
> attempt [**] [Classification: Web Application Attack] [Priority: 1] {TCP}
> 192.168.1.100:2123 -> 192.168.1.99:80
> --
>
> It was my understanding that this was not to show up. Any clues?
>
> ~William
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20060211/ba8ace94/attachment.html>


More information about the Snort-users mailing list