Snort mailing list archives
RE: Rules Question
From: "Jeff Dell" <jdell () activeworx com>
Date: Fri, 25 Feb 2005 09:04:06 -0500
Check your rules order. By default it is alert -> pass -> log -> etc... Try adding the flag -o to your command line options when starting snort. Cheers, Jeff
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Roy Kidder Sent: Friday, February 25, 2005 8:26 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Rules Question I'm trying to write what I expected to be a simple set rules, but it's not working for me. They look like this: pass udp any any <> 10.0.0.10 53 pass udp any any <> 192.168.1.5 53 alert udp any any <> any 53 (msg: "DNS Query";) What I expected was to alert on any DNS queries except those to 10.0.0.10 or to 192.168.1.5. Instead, I'm seeing alerts on everything including those two hosts. Any pointers on what I did wrong? Thanks in advance, Roy Roy Kidder Network Engineer Safelite Glass Corp. ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rules Question Roy Kidder (Feb 25)
- RE: Rules Question Jeff Dell (Feb 25)
- RE: Rules Question Roy Kidder (Feb 28)
- RE: Rules Question Jeff Dell (Feb 28)
- RE: Rules Question Roy Kidder (Feb 28)
- RE: Rules Question Roy Kidder (Feb 28)
- RE: Rules Question Jeff Dell (Feb 25)