Snort mailing list archives
Re: Pass rule not working...
From: Erek Adams <erek () snort org>
Date: Thu, 23 Jan 2003 09:08:44 -0500 (EST)
On Thu, 23 Jan 2003, -=Quequero=- wrote:
Hi all, i need some help please :((, i have some problems with a pass rule, here is a snippet of my configuration: snort.conf: var HOME_NET [192.168.1.0/24,10.0.0.0/8] var EXTERNAL_NET any
Change EXTERNAL_NET to !$HOME_NET.
preprocessor portscan-ignorehosts: $HOME_NET local.rules: pass tcp $HOME_NET any -> $HOME_NET 8001 pass tcp $HOME_NET 8001 -> $HOME_NET any
[...snip...] That works for me, and should work for you. If it doen't (the alerts are coming from spp_portscan(2) then you might have to use a BPF filter. snort <usual options> "not host <foo> and port 8001" Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Pass rule not working... -=Quequero=- (Jan 23)
- Re: Pass rule not working... Erek Adams (Jan 23)
- Re: Pass rule not working... Matt Kettler (Jan 23)
- Re: Pass rule not working... Erek Adams (Jan 24)
- Re: Pass rule not working... Matt Kettler (Jan 23)
- Re: Pass rule not working... Erek Adams (Jan 23)