Snort mailing list archives

Pass rule not passing preprocessors

From: Always Bishan <bishan4u () yahoo co uk>
Date: Sun, 20 Apr 2003 08:20:21 +0100 (BST)

Hi Snorters,

I wrote a pass rule which will pass anything coming
from one machine.
pass tcp 192.168.1.2 -> any any
pass icmp 192.168.1.2 -> any any
pass udp 192.168.1.2 -> any any

now I run nessus scanner from 192.168.1.2, after the
scan when I viewed the alerts from my ACID.
It still gave me alerts coming from preprocessors like
spp_stream4 and spp_bo. But the alerts in the rule
file didn't come up which use to come up when there
was no pass rule for 192.168.1.2.

Now by writing this pass rule I'm able to avoid any
alerts from my rules directory, but preprocessors are
still generating alerts. 

Is there anyway to avoid this?

Regards,
Bishan

*Note: I did use -o option at snort start up

=====
Celebrating Happiness
email: bishan () sumerusolutions com
company: www.sumerusolutions.com

__________________________________________________
Yahoo! Plus
For a better Internet experience
http://www.yahoo.co.uk/btoffer


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Pass rule not passing preprocessors Always Bishan (Apr 20)
- Re: Pass rule not passing preprocessors Bennett Todd (Apr 20)
- Re: Pass rule not passing preprocessors Chris Green (Apr 21)