Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Rules

From: "Enrico M.V. Fasanelli" <Enrico.M.V.Fasanelli () le infn it>
Date: Mon, 11 Feb 2002 15:17:56 +0100 (MET)

    Hi all,

    I run snort-mysql-1.8.3-5 on a RH7.2 box

    I've written the following rule (in the local.rule)

var LNF_AFS_SERVERS [193.206.84.121/32,193.206.84.123/32]

pass udp $LNF_AFS_SERVERS 7000:7009 <> $HOME_NET 7000:7009

     Where HOME_NET is defined in the main snort.conf as

var HOME_NET [192.84.152.0/24,193.206.152.0/23]

     and started the snortd with the -o flag. But:


Generated by ACID v0.9.6b20 on Mon February 11, 2002 13:28:54


------------------------------------------------------------------------------
#(1 - 7075) [2002-02-07 11:12:13] [arachNIDS/247]  MISC Large UDP Packet
IPv4: 193.206.84.121 -> 193.206.152.113
      hlen=5 TOS=0 dlen=4284 ID=52436 flags=0 offset=0 TTL=23 chksum=21973
UDP:  port=7000 -> dport: 7001 len=4264
Payload:  length = 4064


     Why snort refuse to follow my "pass" rule?

     How can I tell snortd to do not log this kind of traffic?


     Ciao
                                Enrico


      Enrico M.V. Fasanelli          Phone +39 0832 320.435/448
Istituto Nazionale Fisica Nucleare   Fax   +39 0832 325128
       Sezione di Lecce              mailto:Enrico.M.V.Fasanelli () le infn it
  Servizio di Calcolo & Reti         Via per Arnesano, I-73100 LECCE (Italy)







_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: