Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: newbie pass rule question

From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 18 Jun 2002 11:24:35 -0700 (PDT)
On Tue, 18 Jun 2002, Eric Garnel wrote:


I have snort up and running and have set up HOME_NET to the subnet
that the external nic of the snort box sits on (our public subnet)
and have set EXTERNAL_NET to any !$HOME_NET in snort.conf.


Ok.  So far so good.


I am seeing local pings between some of my devices that I want to
ignore.


Ahhhh...  I think I hear a FAQ coming on.....  :)


Do I have to use a pass.rule with the -o flag?


To do what you want:  Yes.  See below.


or can I just add them to the icmp.rules with the pass option instead of
alert?


This will "work" but not in the way you expect.  Notice the line when snort
starts up that reads:

   Rule application order:  ->activation->dynamic->alert->pass->log

If you put a '-o' as a switch you get:

  Rule application order: ->pass->activation->dynamic->alert->log

Notice where the word 'pass' falls in the list on both....  If you don't use
"-o" snort will alert first, then pass.  If you add "-o" it will pass then
alert.  Be careful--You can shoot yourself in the foot with a poorly written
pass rule.


Also, I am a little confused with the syntax: If I wanted to include
hosts to ignore-portscans in the preprocessor portscan-ignorehosts is it
111.222.333.444/32 222.333.444.555/32... or [111.222.333.444/32
111.222.444.555/32...]

I see examples of both on the web.


Ok, for the spp_portscan pre-processor:  You need to use a whitespace
delimited list, and not a comma seperated one.  (Long explanation posted to
snort-users a while back, check the archives or email me if you want the full
reasons.....)


running snort 1.8.1


If you can--UPGRADE!!!  1.8.6 and 1.8.7b7 (almost non-beta now) have
_significant_ changes and bugfixes over the 1.8.1 release.

And if you're a newbie, check out the FAQ[0] and the online Docs[1].  Quite a
bit of handy info in there....

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


[0]     http://www.snort.org/docs/faq.html
[1]     http://www.snort.org/docs/writing_rules/


----------------------------------------------------------------------------
                   Bringing you mounds of caffeinated joy
                   >>>     http://thinkgeek.com/sf    <<<

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: