Snort mailing list archives

Previous By Date Next
Previous By Thread Next

(no subject)

From: "Kaplan, Andrew H." <AHKAPLAN () PARTNERS ORG>
Date: Tue, 4 Nov 2003 08:09:51 -0500
When writing the policy-based.rules file I had as my first lines several lines
that read as follows:

alert ip any any -> [any,10.10.0.0/24] any
alert tcp any any -> [any,10.10.0.0/24] any
alert udp any any -> [any,10.10.0.0/24] any

While these lines were uncommented, I would get an enormous amount of alerts
from the 10.10.0.0 subnet even though subsequent pass rules told snort to let
pass any and all ip, tcp, and udp traffic on any port. Once I commented out the
lines, the alerts dropped down to 0.

Do I need any alert rules at the beginning of the policy-based.rules file to
specify what subnets, in this case any subnet excluding the 10.10.0.0 subnet,
snort should alert me on? If so, what is the correct syntax?

I did include the -o option in the command syntax. FYI syntax as follows:
        /usr/local/bin/snort -i eth0 -c /etc/snort/snort.conf -o

The location of the policy-based.rules file is /etc/snort

Also, I do not seem to be getting any alerts from traffic coming in from the
Internet. Is that normal?


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: