No subject

Thu Nov 23 16:36:19 EST 2017


Some people don't like the default way in which Snort applies it's rules to
packets, with the Alert rules applied first, then the Pass rules, and finally
the Log rules.  This sequence is somewhat counterintuitive, but it's a more
foolproof method than allowing the user to write a hundred alert rules and then
disable them all with an errant pass rule.  For people who know what they're
doing, the "-o" switch has been provided to change the default rule
applicaition behavior to Pass rules, then Alert, then Log:

./snort -d -h -l ./log -c snort.conf -o

On Thu, 25 Jan 2001 alexh at ...1207... wrote:

> Hi,
> I've just upgraded to 1.7, which is nice[1], but I'm having a problem getting
> pass rules to work.
> With 1.6, I would use the rules
>     pass tcp any  80 -> $HOME_NET any
>     pass tcp any any -> $HOME_NET 80
>     # [snip other pass rules]
>     log tcp any any -> $HOME_NET :1023
> to exclude web traffic from the logs. This worked fine.
> However, using exactly the same rules with snort1.7, web traffic *is* being
> logged.
> After much commenting out of rules, I am sure that these are the culprits.
> I tried altering the pass rules to
>     pass tcp any 80 <> any any
> but it made no difference. Am I just being my usual stupid self, or is there
> a less humiliating explanation, I wonder?
> [1] -- I may be understating here.

More information about the Snort-users mailing list