Snort mailing list archives

Previous By Date Next
Previous By Thread Next

newbie pass rule question

From: Eric Garnel <egarnel3470 () yahoo com>
Date: Tue, 18 Jun 2002 07:47:28 -0700 (PDT)
I have snort up and running and have set up HOME_NET to the subnet
that the external nic of the snort box sits on (our public subnet)
and have set EXTERNAL_NET to any !$HOME_NET in snort.conf.
I am seeing local pings between some of my devices that I want to
ignore.
Do I have to use a pass.rule with the -o flag? or can I just add them
to the icmp.rules with the pass option instead of alert?
Also, I am a little confused with the syntax:
If I wanted to include hosts to ignore-portscans in the preprocessor
portscan-ignorehosts is it 111.222.333.444/32 222.333.444.555/32...
or [111.222.333.444/32 111.222.444.555/32...]

I see examples of both on the web.
running snort 1.8.1

Thanks

__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

----------------------------------------------------------------------------
                   Bringing you mounds of caffeinated joy
                      >>>     http://thinkgeek.com/sf    <<<

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: