Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rules: reliably ignoring a host

From: Chris Adams <chris () improbable org>
Date: Mon, 6 Aug 2001 11:48:48 -0700
On Monday, August 6, 2001, at 04:36 AM, Martin Roesch wrote:


Isn't NFS on port 2049 instead of 2409?  Barring that being the problem,
It is (note to self: type once, check twice, then send) but I had the correct port in the actual local.rules file and the problem still happened with "any". 


Rule application order: ->pass->activation->dynamic->alert->log


I did check that and it is showing the correct order.


If "pass" isn't the first thing there, then something's wrong.  If all
you want to do is completely ignore this machine's NFS traffic, try a
BPF filter if all else fails:

snort -t /var/log/snort -l . -b -c config/snort.conf -o -A fast -m 037
-y not port 2049
BPF works, as did setting EXTERNAL_NET and HOME_NET to more accurate values. At this point, I was more curious about why it didn't work. 

Chris

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: