Snort mailing list archives
Re: pass rules
From: Jens Krabbenhoeft <tschenz-snort-users () noris net>
Date: Wed, 23 Oct 2002 17:41:54 +0200
Hi Andy,
New to snort. Have looked high and fairly low for info on pass rules, and other than references to the fact that I should write them and use them, and that I should then use the -o argument, I am not finding the
The -o is for changing the rule-order, see the manpage for that: -o Change the order in which the rules are applied to packets. Instead of being applied in the standard Alert->Pass->Log order, this will apply them in Pass->Alert->Log order.
info on how to write one nor exactly where to put the rule if I did
pass-rules are normal rules, with the "action" set to pass. You can write them as described in http://www.snort.org/docs/writing_rules/. See chapter 2 there.
write one. Can someone point me in the direction?
The rule has to be in the snort.conf file, or in a file, you include. So you can put the pass rule in all your included rule-files (perhaps local.rules), or if you want to filter out a special sid, just take the appropriate .rules-file, and substitute "alert ..." with "pass ...". E.g., if you are bored by the codered-alerts, just edit sid 1256 to the following in web-iis.rules (note the action is set to pass here): pass tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; classtype:web-application-attack; reference:url,www.cert.org/advisories/CA-2001-19.html; sid:1256; rev:7;) If you like to ignore all TCP traffic from $EXTERNAL_NET to a box 192.168.0.4, it would be: pass tcp $EXTERNAL_NET any -> 192.168.0.4 any There is a document on Erek's webserver, which covers how to ignore things in snort, i think the pass-thingie is described there as well. The URL is http://www.theadamsfamily.net/~erek/snort/ignore.txt but it seems to be offline at the moment. HTH, Jens ------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- pass rules Hughes, Andy (Oct 23)
- Re: pass rules Alberto Gonzalez (Oct 23)
- Re: pass rules Jens Krabbenhoeft (Oct 23)
- <Possible follow-ups>
- RE: pass rules Hughes, Andy (Oct 23)