RE: -o and pass/alert/log usage

[Joe Fico <Fico () AirAuto COM>]

Well I changed my rules to look like this.

#pass icmp 172.16.100.9/32 any <- any any (msg:"PASSING ICMP from N.A. NOC
Server";)
alert icmp 172.16.100.9/32 any <- any any (msg:" ALERTING ICMP FROM N.A. NOC
Server";)

and I got this message.

Jun 27 15:54:52 localhost snort[5629]: ALERTING ICMP FROM N.A. NOC Server:
172.16.100.9 -> 198.182.113.130

so thats cool now I can uncomment out the pass rule and I get...

nothing.

Why don't I get a message for the pass rule?



> -----Original Message-----
> From: joey () SiliconDefense com [mailto:joey () SiliconDefense com]
> Sent: Wednesday, June 27, 2001 3:39 PM
> To: Sheahan, Paul (PCLN-NW); 'Joe Fico'
> Cc: Snort-users
> Subject: Re: [Snort-users] -o and pass/alert/log usage
>
>
> Paul: That is correct.  Pass rules take precedence when -o is used,
> regardless of where they are located with respect to alert rules.
>
> Joe:  Looking at your problem, I'm wondering if your ROUTER ICMP alert
> rules contain addresses that are outside of your HOME_NET.  This would
> explain why they are not being passed on.  First, make them valid
> addresses by adding the /32 netmask.  Next, confirm that they do exist
> in your HOME_NET.  If that doesn't help, try changing $HOME_NET in your
> pass rules to "any".  Next, I would try removing the $HOME_NET variables
> from the msg field, take out the "->" in the msg field while you are at
> it.  We're just making sure Snort is parsing the rule incorrectly.
>
> Post back with your findings.
>
> Hope this helps,
>
> -Joe M.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users