Snort mailing list archives

Snort Rules

From: Brian Carpio <carb02 () csgsystems com>
Date: Thu, 7 Jun 2001 15:53:12 -0600 (MDT)


I have created a rule in my local.rules file (which is included in the
snort.conf file and the other rules in that file work but one)

I have a monitor server which snort records as 

Jun  7 15:50:54 prod-backup snort[3682]: [ID 244969 auth.alert] ICMP Echo
Request *NIX: 205.144.151.100 -> 205.144.151.83

that's from /var/adm/messages


I have created a rule 

pass 205.144.151.100/32 any -> 205.144.151.83/32 any 


but messages are still getting recored in the /var/adm/messages from ICMP
Requests from this box.. what's wrong with my rule?? does the order of
rules in the snort.conf file regulate this?? Which takes presence a pass
rule or an alert rule??


Brian Carpio



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort Rules Brian Carpio (Jun 07)
- <Possible follow-ups>
- Re: Snort Rules Neil Dickey (Jun 07)
  - Re: Snort Rules Colin Wu (Jun 07)
    - Re: Snort Rules Brian Carpio (Jun 08)
- Re: Snort Rules Neil Dickey (Jun 08)