Snort mailing list archives
Unable to get Pass rules to ignore some traffic.
From: "David E. Gianndrea" <daveg () comsquared com>
Date: Wed, 17 Jul 2002 17:03:19 -0400
Im having an issue where im trying to keep down my false alerts for valid traffic between hosts by using pass rules. As an example... var HOME_NET 1.61.0.0/16 var EXTERNAL_NET !$HOME_NET var BRANCH_NETS [1.182.0.0/16,1.62.0.0/16,1.69.0.0/16] pass udp $BRANCH_NETS any -> x.x.0.2 162 (msg:"SNMP trap udp"; reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013; sid:1419; rev:2; classtype:attempted-recon;) /usr/local/snort-eth0/bin/snort -u snort -g snort -i eth0 -d -D -o -c /usr/local/snort-eth0/etc/snort.conf -l /var/log/snort/snort-eth0 Im unsure about the order that snort will process these riles, but I moved the local.rules to the top of the list in the snort.conf. Im using Version 1.8.7 (Build 128) of snort. Anyone got any clues? -- David Gianndrea Senior Network Engineer Comsquared Systems, Inc. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Unable to get Pass rules to ignore some traffic. David E. Gianndrea (Jul 17)
- <Possible follow-ups>
- RE: Unable to get Pass rules to ignore some traffic. McCammon, Keith (Jul 17)
- Re: Unable to get Pass rules to ignore some traffic. David E. Gianndrea (Jul 17)