Re: Help with pass rule

[Erek Adams <erek () theadamsfamily net>]

On Wed, 28 Aug 2002 francisv () dagupan com wrote:

[...good info snipped...]

> The idea is to ignore traffic coming from the $SERVER_NET block going out
> and ignore scan attempts from outside going inside $HOME_NET. The problem is
> I still see alerts for scan proxy attempts from outside. This is how I run
> snort:
>
>       /usr/local/bin/snort -Dko -c /usr/local/etc/snort.conf

Welcome to the club.  ;)  Snort variables ($HOME_NET) do not get sent to the
pre-processers or the plugins.

If you write a pass rule, it needs to also be in the portscan_ignorehosts so
that the portscan plugin does not see it as a scan.

Hope that helsp!  Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users