Hey Dave,

"pass" rules don't log but you should be able to define your own rule type that does what you want.  Check the ruletype keyword in section 3.2.1 of the manual.

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node29.html

Hope that helps.
Russ

On 6/21/18 4:12 PM, Dave Osbourne wrote:
Hi,

I'm tying to debug a pcre match in a pass rule, but apart from inferring it's working when it doesn't fail I can seem to figure out how to get snort to LOG pass rules that it finds... (so that I know which rule is passing).

My most basic test is to set
output alert_fast: stdout              
call snort like:
/usr/local/bin/snort -c /etc/snort/snortdelme.conf -Q -i eth1:eth2
I'm (against most basically) matching a SYN packet:

        pass tcp  0.0.0.0/0 any -> 192.168.X.Y 1433 (msg:"pass message"; flags: S; dsize: 0; sid:1000;)
        log tcp  0.0.0.0/0 any -> 192.168.X.Y 1433 (msg:"log message"; flags: S; dsize: 0; sid:2000;)

I know the packet is flowing through the bridge - because if I change pass/log to reject I see a message and the packet is blocked.

I just can't figure out how to make pass appear in the log!

Dave


_______________________________________________
Snort-users mailing list
Snort-users@lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette