Snort mailing list archives
Re: Pass rule not working...
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 23 Jan 2003 13:54:53 -0500
Actually, *does* that work for you Erek? I seemed to have to use: preprocessor portscan2-ignorehosts: $HOME_NET instead of: preprocessor portscan-ignorehosts: $HOME_NET when using portscan2, and that output looks pretty portscan2-ish to me.But you are right, if that's output from a preprocessor like portscan2, I don't think pass rules will change anything. BPF is the way to go for that, or use the portscan2-ignorehosts bit. Or heck, just turn off portscan2 entirely (preferably replacing it with something else that works better like spade).
At 09:08 AM 1/23/2003 -0500, Erek Adams wrote:
> preprocessor portscan-ignorehosts: $HOME_NET > > local.rules: > pass tcp $HOME_NET any -> $HOME_NET 8001 > pass tcp $HOME_NET 8001 -> $HOME_NET any [...snip...] That works for me, and should work for you. If it doen't (the alerts are coming from spp_portscan(2) then you might have to use a BPF filter. snort <usual options> "not host <foo> and port 8001"
------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Pass rule not working... -=Quequero=- (Jan 23)
- Re: Pass rule not working... Erek Adams (Jan 23)
- Re: Pass rule not working... Matt Kettler (Jan 23)
- Re: Pass rule not working... Erek Adams (Jan 24)
- Re: Pass rule not working... Matt Kettler (Jan 23)
- Re: Pass rule not working... Erek Adams (Jan 23)