Snort mailing list archives

Re: Same source/dest

From: Keg <snrtlst () netscape net>
Date: Wed, 02 Apr 2003 17:08:13 -0500

Is it safe to say that that best placement for pass rules would belocal.rules file? (Meaning later rule updates?


Erek Adams wrote:

On Wed, 2 Apr 2003, Keg wrote:

Sorry guys for the question but how do I write the pass rule?


Just like any other, except instead of 'alert' or 'log' the action is
'pass'.  Have a look at this [0] for an example.  You can also find more
info in the Snort Users manual.

Should a create the file and name it as pass.rules or should I simply
add the following to the local rules.?

pass ip 10.13.110.254 53 -> 10.13.110.254 any


That's all up to you.  Depends on how you like to organize things.  :)
Since there's a blank local.rules in the default ruleset, I don't like to
use that filename.  It stops me from just copying the rules/* over to
/etc/snort/rules/.  I tend to use 'pass.rules' and 'my.rules' for pass and
local stuff.

You pick whatever way works for you.  Just remember that you did it! :)

Cheers!

-----
Erek Adams

  "When things get weird, the weird turn pro."   H.S. Thompson


[0] http://www.theadamsfamily.net/~erek/snort/ignore.txt


-------------------------------------------------------

This SF.net email is sponsored by: ValueWeb:Dedicated Hosting for just $79/mo with 500 GB of bandwidth!No other company gives more support or power for your dedicated server

http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

--

Your favorite stores, helpful shopping tools and great gift ideas.Experience the convenience of buying online with Shop@Netscape!http://shopnow.netscape.com/





-------------------------------------------------------

This SF.net email is sponsored by: ValueWeb:Dedicated Hosting for just $79/mo with 500 GB of bandwidth!No other company gives more support or power for your dedicated server

http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Same source/dest, (continued)
- Re: Same source/dest james (Apr 01)
  - Re: Same source/dest Erek Adams (Apr 02)
    - Re: Same source/dest James-lists (Apr 02)
- RE: Same source/dest Brei, Matt (Apr 02)
  - Re: Same source/dest Keg (Apr 02)
- RE: Same source/dest Hutchinson, Andrew (Apr 02)
- RE: Same source/dest Brei, Matt (Apr 02)
  - RE: Same source/dest Erek Adams (Apr 02)
    - Re: Same source/dest Keg (Apr 02)
    - Re: Same source/dest Erek Adams (Apr 02)
    - Re: Same source/dest Keg (Apr 02)
    - Re: Same source/dest Erek Adams (Apr 02)
- RE: Same source/dest Brei, Matt (Apr 02)
  - RE: Same source/dest Erek Adams (Apr 02)
- RE: Same source/dest Brei, Matt (Apr 02)
  - RE: Same source/dest Erek Adams (Apr 02)