Snort mailing list archives

Re: VPN and UDP alerts

From: Neil Dickey <neil () geol niu edu>
Date: Fri, 25 Apr 2003 12:50:55 -0500 (CDT)


"Allan Dover" <allan () redwoods ca> wrote asking:

Is there a way to not alert or log UDP:500 as source ?  Would I make a rule
to do this ?  I havent ventured into rule making as of yet.


A "pass" rule in 'local.rules' would probably do the trick.  Something
like ...

  pass udp $VPN-NET 500 <> $HOME_NET any

... would probably do it.  Then restart Snort, and make sure you're
using the '-o' rule on the command line.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

VPN and UDP alerts Allan Dover (Apr 24)
- <Possible follow-ups>
- Re: VPN and UDP alerts Neil Dickey (Apr 25)
  - Promiscuous interface hacks? Paul Schmehl (May 01)
    - Re: Promiscuous interface hacks? Frank Knobbe (May 01)
    - Re: Promiscuous interface hacks? Paul Schmehl (May 01)
    - Re: Promiscuous interface hacks? Matt Kettler (May 01)
    - Re: Promiscuous interface hacks? Paul Schmehl (May 01)
    - Re: Promiscuous interface hacks? Matt Kettler (May 01)
    - Re: Promiscuous interface hacks? Paul Schmehl (May 02)
    - Re: Promiscuous interface hacks? Frank Knobbe (May 01)
    - Re: Promiscuous interface hacks? Paul Schmehl (May 02)
- RE: VPN and UDP alerts Slighter, Tim (Apr 25)

(Thread continues...)