Snort mailing list archives

-o and pass/alert/log usage

From: Joe Fico <Fico () AirAuto COM>
Date: Tue, 26 Jun 2001 13:07:39 -0700

Greetings all!

I seem to be having problems (or misunderstandings) with the PASS option.

in /etc/rc.d/init.d/snortd I have

case "$1" in
  start)
        echo -n "Starting snort: "
        daemon /usr/sbin/snort -o -u snort -g snort -s -d -D \
                -i $INTERFACE -l /var/log/snort -c /etc/snort/snort.conf
        touch /var/lock/subsys/snort
        echo
        ;;

in my local rules file I have

alert icmp 172.16.100.9 any <- any any (msg:"NOC Server";)
alert icmp 198.182.113.1 any <- 198.182.113.28 any (msg:"AAI ROUTER ICMP
Redirect .28 (Network)"; itype:5; icode:0;)
alert icmp 198.182.113.1 any <- 198.182.113.37 any (msg:"AAI ROUTER ICMP
Redirect .37 (Network)"; itype:5; icode:0;)
#
pass icmp any any -> any any (msg:"PASS ICMP Echo Reply"; itype: 0; icode:
0;)
pass icmp any any -> any any (msg:"PASS ICMP Echo Request"; itype: 8; icode:
0;)
pass icmp $HOME_NET any <> $HOME_NET any (msg:"PASSING ICMP $HOME_NET any ->
$HOME_NET any ";)
pass icmp $HOME_NET any <> $HOME_NET any (msg:"PASSING ICMP REDIRECT
$HOME_NET any -> $HOME_NET any ";itype:5; icode:0;)
alert icmp $HOME_NET any <> $HOME_NET any (msg:"ALERTING ICMP $HOME_NET
any -> $HOME_NET any ";itype:5; icode:0;)
#


and sure enough I get

Jun 26 15:42:34 localhost snort[3570]: AAI ROUTER ICMP Redirect .37
(Network): 198.182.113.1 -> 198.182.113.37

This is good I know I can write at least one rule right :)

but I also get

Jun 26 15:42:55 localhost snort[3570]: ICMP Redirect (Network):
198.182.113.1 -> 198.182.113.83

First off shouldn't it have gotten taken care of by one of the PASS rules I
wrote?
Second do PASS rules get logged like I wrote the above rules? How do I know
I am passing something successfully besides that it never shows up again.


Thanks.


J



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

-o and pass/alert/log usage Joe Fico (Jun 26)
- <Possible follow-ups>
- FW: -o and pass/alert/log usage Joe Fico (Jun 27)
  - Re: FW: -o and pass/alert/log usage Phil Wood (Jun 27)
- RE: -o and pass/alert/log usage Sheahan, Paul (PCLN-NW) (Jun 27)
  - Re: -o and pass/alert/log usage Joe McAlerney (Jun 27)
    - RE: -o and pass/alert/log usage Joe Fico (Jun 27)
    - RE: -o and pass/alert/log usage James Hoagland (Jun 28)
  - Re: -o and pass/alert/log usage Tony Lill (Jun 28)