Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Pass Rule

From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 26 Nov 2002 15:35:21 -0800 (PST)
On Tue, 26 Nov 2002, Joseph Nuara wrote:


Yes it is server to server on port 53 and I am using the -o option. I
tried changing port 53 to any in the dst host (as you suggested) but it
still doesn't pass the traffic. I was only able to get it to pass traffic
by removing the content fields (FYI both ports were 53 as reported in
the alert on the ACID db console).


I'm guessing it's from your content.


  (content:"|85800001000100000000|"; content:"|c00c000c00010000003c000f|"; )


Have the packets logged to disk and then check the packets.  I'm pretty
sure it doesn't have the content listed in the content options.  But
again, that's a guess.  :)

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T 
handheld. Power & Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: