Snort mailing list archives
Re: Pass Rule
From: Joseph Nuara <joe () moorecap com>
Date: Tue, 26 Nov 2002 16:44:22 -0500 (EST)
I have it at the top of the rules list local.rules dns.rules and the is still sending the messages. Any other ideas? On 26 Nov 2002, Frank Knobbe wrote:
On Tue, 2002-11-26 at 14:48, Joseph Nuara wrote:I am trying to pass all traffic to and from a specific IP that matches the following rule in dns.rules: alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response PTR with TTL\: 1 min. and no authority"; content:"|85800001000100000000|"; content:"|c00c000c00010000003c000f|"; classtype:bad-unknown; sid:253; rev:2;) I am using the -o option to snort and have created this rule in local.rules: where the x's are real ip addy's pass udp xxx.xxx.xxx.xxx 53 -> xxx.xxx.xxx.xxx 53 (content:"|85800001000100000000|"; content:"|c00c000c00010000003c000f|"; ) I'm sure its something simple but I just seem to keep dancing around the issue. Thanks in advance for the help.I would suggest to put any pass rules in a file called pass.rules, and load it in your snort.conf before any other rules. Regards, Frank
------------------------------------------------------- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Pass Rule Joseph Nuara (Nov 26)
- Re: Pass Rule Frank Knobbe (Nov 26)
- Re: Pass Rule Joseph Nuara (Nov 26)
- Re: Pass Rule Frank Knobbe (Nov 26)
- Re: Pass Rule Joseph Nuara (Nov 26)
- Re: Pass Rule Joseph Nuara (Nov 26)
- Re: Pass Rule Matt Kettler (Nov 26)
- Re: Pass Rule Joseph Nuara (Nov 26)
- Re: Pass Rule Erek Adams (Nov 26)
- Re: Pass Rule Frank Knobbe (Nov 26)