[Snort-users] Logging "pass" rules that are hit

Russ rucombs at cisco.com
Mon Jun 25 17:49:16 EDT 2018


Hey Dave,

"pass" rules don't log but you should be able to define your own rule 
type that does what you want.  Check the ruletype keyword in section 
3.2.1 of the manual.

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node29.html

Hope that helps.
Russ

On 6/21/18 4:12 PM, Dave Osbourne wrote:
> Hi,
>
> I'm tying to debug a pcre match in a pass rule, but apart from 
> inferring it's working when it doesn't fail I can seem to figure out 
> how to get snort to LOG pass rules that it finds... (so that I know 
> which rule is passing).
>
> My most basic test is to set
>
>     output alert_fast: stdout
>
> call snort like:
>
>     /usr/local/bin/snort -c /etc/snort/snortdelme.conf -Q -i eth1:eth2
>
> I'm (against most basically) matching a SYN packet:
>
>         pass tcp  0.0.0.0/0 any -> 192.168.X.Y 1433 (msg:"pass 
> message"; flags: S; dsize: 0; sid:1000;)
>         log tcp  0.0.0.0/0 any -> 192.168.X.Y 1433 (msg:"log message"; 
> flags: S; dsize: 0; sid:2000;)
>
> I know the packet is flowing through the bridge - because if I change 
> pass/log to reject I see a message and the packet is blocked.
>
> I just can't figure out how to make pass appear in the log!
>
> Dave
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180625/dc325f39/attachment.html>


More information about the Snort-users mailing list