Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Pass Rules Questions

From: Demetri Mouratis <dmourati () cm math uiuc edu>
Date: Thu, 30 Jan 2003 13:22:41 -0600 (CST)
Hello,

I've got a problem with some pass rules that don't seem to be passing.

Snort is v1.9.0, I'm running it on a stealth interface (eth1) connected to
a monitoring port on my switch.

I'd like snort to ignore traffic to and from port 25.  Here
are the two rules I've added to local.rules to accomplish this:

pass tcp $HOME_NET 1025:65535 <> any 25
pass tcp $HOME_NET 25 <> any 1025:65535

HOME_NET is defined in snort.conf:

var HOME_NET [aaa.bbb.ccc.ddd/24,eee.fff.ggg.hhh/26,iii.jjj.kkk.lll/28]

Snort is invoked thusly:

/usr/local/bin/snort-b -d -D -o -i eth1 -c /etc/snort/snort.conf

Looking through my ACID logs:

(spp_portscan2) Portscan detected from www.xxx.yyy.zzz:
1 targets 21 ports in 58 seconds


2003-01-30 13:02:34-06

SRC: www.xxx.yyy.zzz:25

DST aaa.bbb.ccc.ddd:34722

PROTO: TCP

Additionally, in snort.conf, I've defined:

var IGNORE_PORTSCAN $HOME_NET
preprocessor portscan2-ignorehosts: $IGNORE_PORTSCAN

Any guidance greatly appreciated.

Thanks.
---------------------------------------------------------------------
Demetri Mouratis
dmourati () linfactory com



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: