Re: Pass Rule

[Joseph Nuara <joe () moorecap com>]

I have ammended the rule to the following

pass udp xxx.xxx.xxx.xxx 53 -> xxx.xxx.xxx.xxx 53

and it appears to be passing over them now. 

I am using Version 1.9.0 (Build 209) of Snort

What am I doing wrong in the following rule (yes it is all on one line):

 pass udp xxx.xxx.xxx.xxx 53 -> xxx.xxx.xxx.xxx 53 
 (content:"|85800001000100000000|"; content:"|c00c000c00010000003c000f|";)




On 26 Nov 2002, Frank Knobbe wrote:

> On Tue, 2002-11-26 at 15:44, Joseph Nuara wrote: 
> > I have it at the top of the rules list 
> >
> > local.rules
> > dns.rules 
> >
> > and the is still sending the messages. Any other ideas?
>
>
> hrmpf.... no, not really. When I want to mask rules, I just copy the
> rule from whatever.rules and paste it into pass.rules, modifying the IP
> as necessary. I'm still on 1.8.7 though. I could be that there is a bug
> in the version you are using.
>
> If the other IP address is a trusted host, then don't use the content
> field so that all DNS traffic is passed.
>
> Regards,
> Frank




-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T 
handheld. Power & Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users