Snort mailing list archives
Re: Pass rule help needed
From: Joe McAlerney <joey () SiliconDefense com>
Date: Sat, 05 Jan 2002 11:13:30 -0800
Hi Steve, Passing only applies to Snort's rules and not preprocessors. The best you can do is add 192.168.1.20/32 to the portscan-ignorehosts plugin list, or use a bpf filter to ignore UDP traffic to port 137 from 192.168.1.20. HTH, -Joe M. -- Joe McAlerney Software Developer / Security Consultant joey () SiliconDefense com Silicon Defense: IDS Solutions -=- http://www.silicondefense.com/ Steve Ochani wrote:
Hello, I'm using snort 1.8.3 on a Sun ULTRA 10 with Solaris 8. Running snort as /opt/snort/bin/snort -o -d -D -A fast -c /opt/snort/etc/snort.conf I'm trying to write a pass rule to not detect scans to port 137(udp) from 1 machine. I've tried pass udp 192.168.1.20/32 any -> any 137 and pass udp 192.168.1.20 any -> any 137 in my local.rules which is included in my snort.conf and I am using the -o option to run snort but I still get portscan detects from this machine to port 137. I want to be able detect portscans from that machine ... just not to port 137/udp Thanks _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Pass rule help needed Steve Ochani (Jan 05)
- Re: Pass rule help needed Joe McAlerney (Jan 05)