Snort mailing list archives

Unable to get Pass rules to ignore some traffic.

From: "David E. Gianndrea" <daveg () comsquared com>
Date: Wed, 17 Jul 2002 17:03:19 -0400

Im having an issue where im trying to keep down my false alerts for valid
traffic between hosts by using pass rules. As an example...

var HOME_NET 1.61.0.0/16
var EXTERNAL_NET !$HOME_NET
var BRANCH_NETS [1.182.0.0/16,1.62.0.0/16,1.69.0.0/16]

pass udp $BRANCH_NETS any -> x.x.0.2 162 (msg:"SNMP trap udp";
reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013;  sid:1419; rev:2;
classtype:attempted-recon;)


/usr/local/snort-eth0/bin/snort -u snort -g snort -i eth0 -d -D -o -c
/usr/local/snort-eth0/etc/snort.conf -l /var/log/snort/snort-eth0

Im unsure about the order that snort will process these riles, but
I moved the local.rules to the top of the list in the snort.conf.

Im using Version 1.8.7 (Build 128) of snort.

Anyone got any clues?

-- 
David Gianndrea
Senior Network Engineer
Comsquared Systems, Inc.


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Unable to get Pass rules to ignore some traffic. David E. Gianndrea (Jul 17)
- <Possible follow-ups>
- RE: Unable to get Pass rules to ignore some traffic. McCammon, Keith (Jul 17)
  - Re: Unable to get Pass rules to ignore some traffic. David E. Gianndrea (Jul 17)