Snort mailing list archives
Re: Pass Rule
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 26 Nov 2002 15:16:36 -0600
On Tue, 2002-11-26 at 14:48, Joseph Nuara wrote:
I am trying to pass all traffic to and from a specific IP that matches the following rule in dns.rules: alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response PTR with TTL\: 1 min. and no authority"; content:"|85800001000100000000|"; content:"|c00c000c00010000003c000f|"; classtype:bad-unknown; sid:253; rev:2;) I am using the -o option to snort and have created this rule in local.rules: where the x's are real ip addy's pass udp xxx.xxx.xxx.xxx 53 -> xxx.xxx.xxx.xxx 53 (content:"|85800001000100000000|"; content:"|c00c000c00010000003c000f|"; ) I'm sure its something simple but I just seem to keep dancing around the issue. Thanks in advance for the help.
I would suggest to put any pass rules in a file called pass.rules, and load it in your snort.conf before any other rules. Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Pass Rule Joseph Nuara (Nov 26)
- Re: Pass Rule Frank Knobbe (Nov 26)
- Re: Pass Rule Joseph Nuara (Nov 26)
- Re: Pass Rule Frank Knobbe (Nov 26)
- Re: Pass Rule Joseph Nuara (Nov 26)
- Re: Pass Rule Joseph Nuara (Nov 26)
- Re: Pass Rule Matt Kettler (Nov 26)
- Re: Pass Rule Joseph Nuara (Nov 26)
- Re: Pass Rule Erek Adams (Nov 26)
- Re: Pass Rule Frank Knobbe (Nov 26)