Snort mailing list archives

RE: -o and pass/alert/log usage

From: James Hoagland <hoagland () SiliconDefense com>
Date: Thu, 28 Jun 2001 08:48:04 -0700

At 4:05 PM -0700 6/27/01, Joe Fico wrote:

Well I changed my rules to look like this.

#pass icmp 172.16.100.9/32 any <- any any (msg:"PASSING ICMP from N.A. NOC
Server";)
alert icmp 172.16.100.9/32 any <- any any (msg:" ALERTING ICMP FROM N.A. NOC
Server";)

and I got this message.

Jun 27 15:54:52 localhost snort[5629]: ALERTING ICMP FROM N.A. NOC Server:
172.16.100.9 -> 198.182.113.130

so thats cool now I can uncomment out the pass rule and I get...

nothing.

Why don't I get a message for the pass rule?

Because pass rules do not generate alerts or messages. They juststop the search for any other rule.


Kind regards,

  Jim
--
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland () SiliconDefense com                *|
|*              http://www.silicondefense.com/              *|
|*      Silicon Defense - Technical Support for Snort       *|
|*  Voice: (530) 756-7317              Fax: (530) 756-7297  *|

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

-o and pass/alert/log usage Joe Fico (Jun 26)
- <Possible follow-ups>
- FW: -o and pass/alert/log usage Joe Fico (Jun 27)
  - Re: FW: -o and pass/alert/log usage Phil Wood (Jun 27)
- RE: -o and pass/alert/log usage Sheahan, Paul (PCLN-NW) (Jun 27)
  - Re: -o and pass/alert/log usage Joe McAlerney (Jun 27)
    - RE: -o and pass/alert/log usage Joe Fico (Jun 27)
    - RE: -o and pass/alert/log usage James Hoagland (Jun 28)
  - Re: -o and pass/alert/log usage Tony Lill (Jun 28)