RE: Pass Rule not working?

["Slighter, Tim" <tslighter () itc nrcs usda gov>]

have you thought about creating a separate conf file called test.conf and
placing that rule and ONLY that rule in there and then running snort with
all the options (might have to drop the output line for mySQL into it as
well) to see if the pass rule is misbehaving ?

-----Original Message-----
From: Steve Lebeda [mailto:stevele () wyoming com]
Sent: Wednesday, July 24, 2002 11:32 AM
To: Matt Kettler; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Pass Rule not working?


Don't think so. I have my daemon set up to run -o.

Been running the command /usr/local/bin/snort -u Snorter -o -U -d -D -c 
/etc/snort/snort.conf -i eth1 -l /var/log/snort in /etc/rc.d/init.d/

I thought that was the problem too, but it doesn't solve anything for me.

And since it came in while I was typing this one:

In response to Shane: I know that *.*.*.* isn't a valid IP, I just didn't 
see any particular reason to hand out the IP addresses of my servers. The 
stars are supposed to represent an actual  IP address, not a wildcard, 
since the snort wildcard is indeed any. Thanks, though.

Steve


At 01:18 PM 7/24/2002 -0400, Matt Kettler wrote:
> Is this by chance the answer you need? (from the snort FAQ)
>
> 4.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
>
> Q: Why does the program generate alerts on packets that have pass rules? 
> A: The default order that the rules are applied in is alerts first, then 
> pass rules, then log rules. This ordering ensures that you don't write 50 
> great alert rules and then disable them all accidently with an errant pass 
> rule. If you really want to change this order so that the pass rules are 
> applied first, use the "-o" command line switch.
>
>
> At 10:48 AM 7/24/2002 -0600, Steve Lebeda wrote:
> > I've been getting alerts in ACID because of ICMP packets. The message is 
> > ICMP Destination Unreachable (Communication Administratively Prohibited)
> > I know this particular issue has been addressed previously and I think I 
> > understand why it's happening. The servers on my Home Net are trying to 
> > ping to places that they aren't allowed to ping and the packets are being 
> > returned by an intermediary device. Trying to be clever, I wrote a pass 
> > rule in my local.rules file:
> >
> > pass icmp any any -> *.*.*.* any (itype: 3; icode: 13)
> >
> > I'm still getting errors.
> >
> > What'd I do wrong?
> >
> > Steve
> >
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users