simple snort pass

[ICO Staff <icostaff () mail gunnison com>]

Hello all. I've read the documentation but I can't get this simple pass
rule to work. this rule is located in local.rules, which is included and
being executed.

the pass rule (on one line, and with no x's) is as follows:

pass udp X.X.186.250 any -> $HOME_NET any (msg:"argus/stats doing their
thing.";ip_proto:esp;rev:1;)

I use  ./snort -oDc ../etc/snort.conf to run the mother and it still shows
the traffic from X.X.186.250 to my $home_net-- which is defined
properly as such: [X.X.184.0/24,X.X.186.0/24,10.1.1.0/24]

here is the alert detail:

#0-(1-19) SNMP request udp 2004-01-11 12:13:02 X.X.186.250:33376
X.X.184.21:161 UDP

186.250 has legitamate snmp requests so I want them silenced!

any suggestions?

-Peter




-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users