Hey Dave,

"pass" rules don't log but you should be able to define your own rule type that does what you want.  Check the ruletype keyword in section 3.2.1 of the manual.


Hope that helps.

On 6/21/18 4:12 PM, Dave Osbourne wrote:

I'm tying to debug a pcre match in a pass rule, but apart from inferring it's working when it doesn't fail I can seem to figure out how to get snort to LOG pass rules that it finds... (so that I know which rule is passing).

My most basic test is to set
output alert_fast: stdout              
call snort like:
/usr/local/bin/snort -c /etc/snort/snortdelme.conf -Q -i eth1:eth2
I'm (against most basically) matching a SYN packet:

        pass tcp any -> 192.168.X.Y 1433 (msg:"pass message"; flags: S; dsize: 0; sid:1000;)
        log tcp any -> 192.168.X.Y 1433 (msg:"log message"; flags: S; dsize: 0; sid:2000;)

I know the packet is flowing through the bridge - because if I change pass/log to reject I see a message and the packet is blocked.

I just can't figure out how to make pass appear in the log!


Snort-users mailing list
Go to this URL to change user options or unsubscribe:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette