Snort mailing list archives
RE: Help with pass rule
From: Erek Adams <erek () theadamsfamily net>
Date: Sat, 31 Aug 2002 07:00:55 -0700 (PDT)
On Sat, 31 Aug 2002 francisv () dagupan com wrote:
I think you're right, I was using the wrong command line parameters. I changed it to: /usr/local/bin/snort -D -k none -o -c /usr/local/etc/snort.conf and it doesn't log the proxy/socks scan! :) Thanks for all your help.
Woo-Hoo! All right! I"m glad we figured it out. [I'm adding snort-users back onto the cc list.] Erek
-----Original Message----- From: Erek Adams [mailto:erek () theadamsfamily net] Sent: Saturday, August 31, 2002 2:14 AM To: francisv () dagupan com Subject: RE: Help with pass rule Ok, I've just tested this and I can not duplicate your issue. What I did: 1) Create a rules file called ignore.rules with one rule in it. pass tcp $EXTERNAL_NET any -> $HOME_NET 8080. 2) snort -o 3) Logged into a remote machine. 4) On remote: telnet <ip> 8080 5) Nothing on that port, so connection refused. 6) Stopped snort, looked at the stats. No alerts, no logs, one passed. 7) Removed the rule. 8) Started snort with -o 9) On remote: telnet <ip> 8080 10) Stopped snort, looked at the stats. 1 alert, 1 logged, none passed. Alert file was 0 bytes the first time, and 314 on the second. include $RULEPATH/ignore.rules was the first including of rules, above everything. I'm running: Version 1.9.0beta6 (Build 202) on Solaris. Out of curiosity, have you done anything like that? I dug out all of your emails and noticed that you are starting it with -D -o and -k. Looking at the code for -k, at about 983 in snort.c, you see that -k seems to look for a parameter. If it is, it might be taking the next flag (-c) as an argument, and might be looking at the wrong config file. Try running it without -D and see if there is anything useful written to the screen. Then try without -D and -k and see if it makes any difference. Other than command line switches and/or snort version, I've got no idea why this might be happening. Sorry for taking so long to respond: Dinner made me way to full, and it was goodnight to me! :) ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net
----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help with pass rule francisv (Aug 27)
- Re: Help with pass rule Erek Adams (Aug 28)
- <Possible follow-ups>
- RE: Help with pass rule francisv (Aug 28)
- RE: Help with pass rule Erek Adams (Aug 28)
- RE: Help with pass rule francisv (Aug 28)
- RE: Help with pass rule Erek Adams (Aug 29)
- RE: Help with pass rule francisv (Aug 29)
- RE: Help with pass rule Erek Adams (Aug 29)
- RE: Help with pass rule Erek Adams (Aug 29)
- RE: Help with pass rule Erek Adams (Aug 31)