Snort mailing list archives
Re: Snort Rules
From: Colin Wu <wucolin () McMaster CA>
Date: Thu, 07 Jun 2001 20:18:09 -0400
Don't you also need to specify the protocol? i.e. tcp, udp, or icmp? pass tcp 205.144.151.100/32 any -> 205.144.151.83/32 any pass udp 205.144.151.100/32 any -> 205.144.151.83/32 any Neil Dickey wrote:
Brian Carpio <carb02 () csgsystems com>wrote asking:I have created a rule pass 205.144.151.100/32 any -> 205.144.151.83/32 any but messages are still getting recored in the /var/adm/messages from ICMP Requests from this box.. what's wrong with my rule?? does the order of rules in the snort.conf file regulate this?? Which takes presence a pass rule or an alert rule??It depends. If you are using the '-o' switch when invoking snort, then pass rules have precedence over alert rules. If you aren't, then alert rules have precedence. Check to be sure that you are using this switch. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Colin Wu _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Rules Brian Carpio (Jun 07)
- <Possible follow-ups>
- Re: Snort Rules Neil Dickey (Jun 07)
- Re: Snort Rules Colin Wu (Jun 07)
- Re: Snort Rules Brian Carpio (Jun 08)
- Re: Snort Rules Colin Wu (Jun 07)
- Re: Snort Rules Neil Dickey (Jun 08)