Snort mailing list archives
newbie pass rule question
From: Eric Garnel <egarnel3470 () yahoo com>
Date: Tue, 18 Jun 2002 07:47:28 -0700 (PDT)
I have snort up and running and have set up HOME_NET to the subnet that the external nic of the snort box sits on (our public subnet) and have set EXTERNAL_NET to any !$HOME_NET in snort.conf. I am seeing local pings between some of my devices that I want to ignore. Do I have to use a pass.rule with the -o flag? or can I just add them to the icmp.rules with the pass option instead of alert? Also, I am a little confused with the syntax: If I wanted to include hosts to ignore-portscans in the preprocessor portscan-ignorehosts is it 111.222.333.444/32 222.333.444.555/32... or [111.222.333.444/32 111.222.444.555/32...] I see examples of both on the web. running snort 1.8.1 Thanks __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com ---------------------------------------------------------------------------- Bringing you mounds of caffeinated joy >>> http://thinkgeek.com/sf <<< _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- newbie pass rule question Eric Garnel (Jun 18)
- Re: newbie pass rule question Erek Adams (Jun 18)