Snort mailing list archives
Update to previous e-mail
From: "Kaplan, Andrew H." <AHKAPLAN () PARTNERS ORG>
Date: Mon, 3 Nov 2003 15:10:04 -0500
When writing the policy-based.rules file I had as my first lines several lines that read as follows: alert ip any any -> [any,10..10.0.0/24] any alert tcp any any -> [any,10.10.0.0/24] any alert udp any any -> [any,10.10.0.0/24] any While these lines were uncommented, I would get an enormous amount of alerts from the 10.10.0.0 subnet even though subsequent pass rules told snort to let pass any and all ip, tcp, and udp traffic on any port. Once I commented out the lines, the alerts dropped down to 0. Do I need any alert rules at the beginning of the policy-based.rules file to specify what subnets, in this case any subnet excluding the 10.10.0.0 subnet, snort should alert me on? If so, what is the correct syntax? ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Update to previous e-mail Kaplan, Andrew H. (Nov 03)
- Message not available
- Re: Update to previous e-mail Matt Kettler (Nov 03)
- Message not available
- <Possible follow-ups>
- RE: Update to previous e-mail Kaplan, Andrew H. (Nov 03)