Snort mailing list archives
RE: -o and pass/alert/log usage
From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
Date: Wed, 27 Jun 2001 14:17:56 -0400
I was told in another post that it doesn't matter WHERE the pass rules are in any of the .rules files, and it doesn't matter in what order the rules files are included in snort.conf. If you use the -o option, all pass rules are taken into account first, then alerts. If this is wrong, I'd like to know so I get it straight too! -----Original Message----- From: Joe Fico [mailto:Fico () AirAuto COM] Sent: Wednesday, June 27, 2001 1:57 PM To: Snort-users Subject: FW: [Snort-users] -o and pass/alert/log usage So what Olivier is saying (below) is that even with the -o option on startup the PASS action doesn't stop a packet from continuing down the rule list until it gets hit by a ALERT action? I'm confused what PASS is supposed to do then... -----Original Message----- From: Olivier Grumelard Sent: Tuesday, June 26, 2001 3:25 PM To: Joe Fico Subject: Re: [Snort-users] -o and pass/alert/log usage "alert" rules have priority over "pass" rules, even if you write the "pass" rule before the "alert" rule. Hope that helps, Olivier. At 13:07 26/06/01 -0700, you wrote:
Greetings all! I seem to be having problems (or misunderstandings) with the PASS option. in /etc/rc.d/init.d/snortd I have case "$1" in start) echo -n "Starting snort: " daemon /usr/sbin/snort -o -u snort -g snort -s -d -D \ -i $INTERFACE -l /var/log/snort -c /etc/snort/snort.conf touch /var/lock/subsys/snort echo ;; in my local rules file I have alert icmp 172.16.100.9 any <- any any (msg:"NOC Server";) alert icmp 198.182.113.1 any <- 198.182.113.28 any (msg:"AAI ROUTER ICMP Redirect .28 (Network)"; itype:5; icode:0;) alert icmp 198.182.113.1 any <- 198.182.113.37 any (msg:"AAI ROUTER ICMP Redirect .37 (Network)"; itype:5; icode:0;) # pass icmp any any -> any any (msg:"PASS ICMP Echo Reply"; itype: 0; icode: 0;) pass icmp any any -> any any (msg:"PASS ICMP Echo Request"; itype: 8;
icode:
0;) pass icmp $HOME_NET any <> $HOME_NET any (msg:"PASSING ICMP $HOME_NET
any ->
$HOME_NET any ";) pass icmp $HOME_NET any <> $HOME_NET any (msg:"PASSING ICMP REDIRECT $HOME_NET any -> $HOME_NET any ";itype:5; icode:0;) alert icmp $HOME_NET any <> $HOME_NET any (msg:"ALERTING ICMP $HOME_NET any -> $HOME_NET any ";itype:5; icode:0;) # and sure enough I get Jun 26 15:42:34 localhost snort[3570]: AAI ROUTER ICMP Redirect .37 (Network): 198.182.113.1 -> 198.182.113.37 This is good I know I can write at least one rule right :) but I also get Jun 26 15:42:55 localhost snort[3570]: ICMP Redirect (Network): 198.182.113.1 -> 198.182.113.83 First off shouldn't it have gotten taken care of by one of the PASS rules I wrote? Second do PASS rules get logged like I wrote the above rules? How do I know I am passing something successfully besides that it never shows up again. Thanks. J _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- -o and pass/alert/log usage Joe Fico (Jun 26)
- <Possible follow-ups>
- FW: -o and pass/alert/log usage Joe Fico (Jun 27)
- Re: FW: -o and pass/alert/log usage Phil Wood (Jun 27)
- RE: -o and pass/alert/log usage Sheahan, Paul (PCLN-NW) (Jun 27)
- Re: -o and pass/alert/log usage Joe McAlerney (Jun 27)
- RE: -o and pass/alert/log usage Joe Fico (Jun 27)
- RE: -o and pass/alert/log usage James Hoagland (Jun 28)
- Re: -o and pass/alert/log usage Joe McAlerney (Jun 27)
- Re: -o and pass/alert/log usage Tony Lill (Jun 28)