Snort mailing list archives
RE: A little pass rule help
From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Tue, 15 Apr 2003 22:40:08 -0400
Read up on the "writing rules" Snort docs [0] -- Snort is rather specific in its format for rule writing. Christopher [0] http://www.snort.org/docs/writing_rules/ -----Original Message----- From: Keg [mailto:snrtlst () netscape net] Sent: Tuesday, April 15, 2003 8:17 AM To: L. Christopher Luther Cc: Snort-Users (E-mail) Subject: Re: [Snort-users] A little pass rule help Would it be possible to use 'pass is <address> any -> <address> <PROTOCOL>' ? I would like not to log traffic originated from specific host only on specific protocol.... Thanks you. L. Christopher Luther wrote:
10.0.0.0 is not a valid host IP -- it's a network address. So if you
want to have the 10.0.0.0 network be the destination of the pass rule,
then the rule should look something like:
pass ip 10.0.30.4 any -> 10.0.0.0/8 any
The second rule should also include a port designator:
pass ip 10.0.20.6 any -> any any
See if this helps.
- Christopher
-----Original Message-----
From: Keg [mailto:snrtlst () netscape net]
Sent: Monday, April 14, 2003 5:14 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] A little pass rule help
I have 2 pass rules that I placed in local.rules: (snort started with -o)
pass ip 10.0.30.4 any -> 10.0.0.0 any
pass ip 10.0.20.6 any -> any
First should take care of cluster servers broadcasts, second takes care
of weird ICMP redirects from Shiva device. Snort cannot be started and
it complains about those pass rules, the moment I disable 'em snort is
started and it works fine.
Is there a syntax problem with those pass rules?
Thanks.
--
Your favorite stores, helpful shopping tools and great gift ideas.
Experience the convenience of buying online with Shop@Netscape!
http://shopnow.netscape.com/
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- A little pass rule help Keg (Apr 14)
- Re: A little pass rule help Chris Green (Apr 21)
- <Possible follow-ups>
- RE: A little pass rule help L. Christopher Luther (Apr 14)
- Re: A little pass rule help Keg (Apr 15)
- Re: A little pass rule help Keg (Apr 15)
- RE: A little pass rule help L. Christopher Luther (Apr 15)