Snort mailing list archives

Re: pass rules

From: Jens Krabbenhoeft <tschenz-snort-users () noris net>
Date: Wed, 23 Oct 2002 17:41:54 +0200

Hi Andy,

New to snort.  Have looked high and fairly low for info on pass rules,
and other than references to the fact that I should write them and use
them, and that I should then use the -o argument, I am not finding the


The -o is for changing the rule-order, see the manpage for that:

-o   Change the order in which the rules are applied to packets.  Instead
     of being applied in the standard Alert->Pass->Log order, this will apply
     them in Pass->Alert->Log order.

info on how to write one nor exactly where to put the rule if I did


pass-rules are normal rules, with the "action" set to pass. You can
write them as described in http://www.snort.org/docs/writing_rules/. See
chapter 2 there.

write one.  Can someone point me in the direction?


The rule has to be in the snort.conf file, or in a file, you include. So
you can put the pass rule in all your included rule-files (perhaps
local.rules), or if you want to filter out a special sid, just take the
appropriate .rules-file, and substitute "alert ..." with "pass ...".

E.g., if you are bored by the codered-alerts, just edit sid 1256 to the
following in web-iis.rules (note the action is set to pass here):

pass tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
CodeRed v2 root.exe access"; flow:to_server,established;
uricontent:"/root.exe"; nocase; classtype:web-application-attack; 
reference:url,www.cert.org/advisories/CA-2001-19.html; sid:1256;
rev:7;)

If you like to ignore all TCP traffic from $EXTERNAL_NET to a box
192.168.0.4, it would be:

pass tcp $EXTERNAL_NET any -> 192.168.0.4 any

There is a document on Erek's webserver, which covers how to ignore
things in snort, i think the pass-thingie is described there as
well. The URL is http://www.theadamsfamily.net/~erek/snort/ignore.txt
but it seems to be offline at the moment.

HTH,

        Jens


-------------------------------------------------------
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

pass rules Hughes, Andy (Oct 23)
- Re: pass rules Alberto Gonzalez (Oct 23)
- Re: pass rules Jens Krabbenhoeft (Oct 23)
- <Possible follow-ups>
- RE: pass rules Hughes, Andy (Oct 23)