Snort mailing list archives
Re: Help with pass rule
From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 27 Aug 2002 23:57:55 -0700 (PDT)
On Wed, 28 Aug 2002 francisv () dagupan com wrote: [...good info snipped...]
The idea is to ignore traffic coming from the $SERVER_NET block going out and ignore scan attempts from outside going inside $HOME_NET. The problem is I still see alerts for scan proxy attempts from outside. This is how I run snort: /usr/local/bin/snort -Dko -c /usr/local/etc/snort.conf
Welcome to the club. ;) Snort variables ($HOME_NET) do not get sent to the pre-processers or the plugins. If you write a pass rule, it needs to also be in the portscan_ignorehosts so that the portscan plugin does not see it as a scan. Hope that helsp! Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net ------------------------------------------------------- This sf.net email is sponsored by: Jabber - The world's fastest growing real-time communications platform! Don't just IM. Build it in! http://www.jabber.com/osdn/xim _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help with pass rule francisv (Aug 27)
- Re: Help with pass rule Erek Adams (Aug 28)
- <Possible follow-ups>
- RE: Help with pass rule francisv (Aug 28)
- RE: Help with pass rule Erek Adams (Aug 28)
- RE: Help with pass rule francisv (Aug 28)
- RE: Help with pass rule Erek Adams (Aug 29)
- RE: Help with pass rule francisv (Aug 29)
- RE: Help with pass rule Erek Adams (Aug 29)
- RE: Help with pass rule Erek Adams (Aug 29)
- RE: Help with pass rule Erek Adams (Aug 31)