Snort mailing list archives

Re: -o and pass/alert/log usage

From: Joe McAlerney <joey () SiliconDefense com>
Date: Wed, 27 Jun 2001 15:39:10 -0700

Paul: That is correct.  Pass rules take precedence when -o is used,
regardless of where they are located with respect to alert rules.

Joe:  Looking at your problem, I'm wondering if your ROUTER ICMP alert
rules contain addresses that are outside of your HOME_NET.  This would
explain why they are not being passed on.  First, make them valid
addresses by adding the /32 netmask.  Next, confirm that they do exist
in your HOME_NET.  If that doesn't help, try changing $HOME_NET in your
pass rules to "any".  Next, I would try removing the $HOME_NET variables
from the msg field, take out the "->" in the msg field while you are at
it.  We're just making sure Snort is parsing the rule incorrectly.

Post back with your findings.

Hope this helps,

-Joe M.

-- 
|   Joe McAlerney     joey () silicondefense com   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+
"Sheahan, Paul (PCLN-NW)" wrote:


I was told in another post that it doesn't matter WHERE the pass rules are
in any of the .rules files, and it doesn't matter in what order the rules
files are included in snort.conf. If you use the -o option, all pass rules
are taken into account first, then alerts. If this is wrong, I'd like to
know so I get it straight too!

-----Original Message-----
From: Joe Fico [mailto:Fico () AirAuto COM]
Sent: Wednesday, June 27, 2001 1:57 PM
To: Snort-users
Subject: FW: [Snort-users] -o and pass/alert/log usage

So what Olivier is saying (below) is that even with the -o option on startup
the PASS action doesn't stop a packet from continuing down the rule list
until it gets hit by a ALERT action? I'm confused what PASS is supposed to
do then...


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

-o and pass/alert/log usage Joe Fico (Jun 26)
- <Possible follow-ups>
- FW: -o and pass/alert/log usage Joe Fico (Jun 27)
  - Re: FW: -o and pass/alert/log usage Phil Wood (Jun 27)
- RE: -o and pass/alert/log usage Sheahan, Paul (PCLN-NW) (Jun 27)
  - Re: -o and pass/alert/log usage Joe McAlerney (Jun 27)
    - RE: -o and pass/alert/log usage Joe Fico (Jun 27)
    - RE: -o and pass/alert/log usage James Hoagland (Jun 28)
  - Re: -o and pass/alert/log usage Tony Lill (Jun 28)