Re: Rule problems

[Erek Adams <erek () snort org>]

On Mon, 3 Mar 2003, Pete Blessing wrote:

> I have created a line in the local.rules file that is as follows:  pass
> udp A.A.A.A any -> X.X.X.X/32 161.
> I also have used the "-o" to have the "pass" be processed before the
> rest of the other rules.  My question is why would I still be seeing
> traffic being alerted to my DB from A.A.A.A to X.X.X.X?  When look at
> the alert in ACID it shows udp as well as the dport being 161.  Am I
> missing something? The signature is a "spp_asn1".  I am rather new to
> snort but I think I am following the correct syntax for my rule.

Because that's not from a rule.  It's from a preprocessor--spp_asn1.

Have a look at this [0].  It should help you solve your problems.

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]     http://www.theadamsfamily.net/~erek/snort/ignore.txt


-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users