Snort mailing list archives
Pass Rules Questions
From: Demetri Mouratis <dmourati () cm math uiuc edu>
Date: Thu, 30 Jan 2003 13:22:41 -0600 (CST)
Hello, I've got a problem with some pass rules that don't seem to be passing. Snort is v1.9.0, I'm running it on a stealth interface (eth1) connected to a monitoring port on my switch. I'd like snort to ignore traffic to and from port 25. Here are the two rules I've added to local.rules to accomplish this: pass tcp $HOME_NET 1025:65535 <> any 25 pass tcp $HOME_NET 25 <> any 1025:65535 HOME_NET is defined in snort.conf: var HOME_NET [aaa.bbb.ccc.ddd/24,eee.fff.ggg.hhh/26,iii.jjj.kkk.lll/28] Snort is invoked thusly: /usr/local/bin/snort-b -d -D -o -i eth1 -c /etc/snort/snort.conf Looking through my ACID logs: (spp_portscan2) Portscan detected from www.xxx.yyy.zzz: 1 targets 21 ports in 58 seconds 2003-01-30 13:02:34-06 SRC: www.xxx.yyy.zzz:25 DST aaa.bbb.ccc.ddd:34722 PROTO: TCP Additionally, in snort.conf, I've defined: var IGNORE_PORTSCAN $HOME_NET preprocessor portscan2-ignorehosts: $IGNORE_PORTSCAN Any guidance greatly appreciated. Thanks. --------------------------------------------------------------------- Demetri Mouratis dmourati () linfactory com ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Pass Rules Questions Demetri Mouratis (Jan 30)
- <Possible follow-ups>
- Re: Pass Rules Questions Matt Kettler (Jan 30)
- Re: Pass Rules Questions Demetri Mouratis (Jan 30)