Snort mailing list archives

pass rule

From: "Gosswiler Bjoern" <Bjoern.Gosswiler () c-channel net>
Date: Fri, 25 Apr 2003 11:35:30 +0200

hi all

I just get confused with my pass rules!!!!!

I dont want get portscan traffic from $HOME_NET to DMZ Proxy Server on
port 8080

-------------------------------------------
spp_portscan2) Portscan detected from 212.8.128.120: 2 targets 21 ports
in 18 seconds
212.8.128.120:8080        192.168.192.226:2001        TCP  
----------------------------------------------
to keep out this entry I wrote a pass rule:
pass tcp $HOME_NET -> 212.8.128.120 8080


Also this portscan traffic:
--------------------------------------------------------
spp_portscan2) Portscan detected from 212.8.128.114: 6 targets 34 ports
in 61 seconds
212.8.128.114:445        192.168.192.162:1399       
---------------------------------------------------------
pass tcp $HOME_NET -> 212.8.128.114/32 445


I put all my pass rules in the file local.rules
start snort with -o

-> I dont want portscan-ignorehost e.g (212.8.128.120) define cus I
think then are all ports to this IP ignored!?..

Do I understand something wrong ?? 

Björn

Attachment: smime.p7s
Description:

Current thread:

pass rule Gosswiler Bjoern (Apr 25)