Snort mailing list archives
RE: Update to previous e-mail
From: "Kaplan, Andrew H." <AHKAPLAN () PARTNERS ORG>
Date: Mon, 3 Nov 2003 16:10:25 -0500
Hi Matt -- I did include the -o option in the command syntax. FYI syntax as follows: /usr/local/bin/snort -i eth0 -c /etc/snort/snort.conf -o The location of the policy-based.rules file is /etc/snort Update: commenting out the first few lines, while significantly reducing the amount of alerts has not totally eliminated them. However, they appear at this point to be fewer and far in between for me to be able to managed them much more easily. -----Original Message----- From: Matt Kettler [mailto:mkettler () evi-inc com] Sent: Monday, November 03, 2003 4:03 PM To: Kaplan, Andrew H.; 'snort-users () lists sourceforge net' Subject: Re: [Snort-users] Update to previous e-mail At 03:10 PM 11/3/2003, Kaplan, Andrew H. wrote:
alert tcp any any -> [any,10.10.0.0/24] any
Um.. what's the purpose of that? It is functionally the same as: alert tcp any any -> any any And that's significantly more legible.
While these lines were uncommented, I would get an enormous amount of alerts from the 10.10.0.0 subnet even though subsequent pass rules told snort to let pass any and all ip, tcp, and udp traffic on any port.
Did you pass the -o option to snort? If you don't pass -o then all alert rules will execute before all pass rules, without regard for what order they are placed in the file. Thus, in the default scenario, pass rules do absolutely nothing to prevent alerts. There is ALWAYS a precedence relationship between types of rules in snort.. you can never use file locations to cause ordering of different kinds of rules. Default is rule order is alert first, pass second, log third. If you use -o the order becomes pass, alert, log. ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Update to previous e-mail Kaplan, Andrew H. (Nov 03)
- Message not available
- Re: Update to previous e-mail Matt Kettler (Nov 03)
- Message not available
- <Possible follow-ups>
- RE: Update to previous e-mail Kaplan, Andrew H. (Nov 03)