Snort mailing list archives
Re: Pass rules need SID in 2.6.1
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 17 Nov 2006 05:15:25 -0700
On Fri, 17 Nov 2006 07:07:11 -0500 "Jeff Dell" <jdell () activeworx com> wrote:
You will need to put a sid value in the rule. While you are at it I would probably put a rev too. Per the FAQ private SID numbers start with 1000000 but you will want to make sure you don't have any conflicts. pass icmp $EXTERNAL_NET any -> $HOME_NET any (icode:3; itype:3; sid:1000000; rev:1;) pass icmp any any -> any any (icode:13; itype:3; sid:1000001; rev:1;) Cheers, Jeff-----Original Message----- From: snort-users-bounces () lists sourceforge net [mailto:snort-users-bounces () lists sourceforge net] On Behalf Of James Lay Sent: Friday, November 17, 2006 6:12 AM To: Snort Subject: [Snort-users] Pass rules need SID in 2.6.1 Hrmmm: Nov 17 04:07:33 myshield snort[29024]: FATAL ERROR: /chroot/snort/etc/snort/rules/myshield.rules(1) => Each rule must contain a Rule-sid myshield.rules: pass icmp $EXTERNAL_NET any -> $HOME_NET any (icode:3; itype:3;) pass icmp any any -> any any (icode:13; itype:3;) Looked in the docs but didn't see why this is now... James --------------------------------------------------------------
Thanks Jeff....interesting that it just kicked in with version 2.6.1. Personally I'm not sure I see the benefit of sidding pass rules..but eh..guess I'll just have to add them now. James ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Pass rules need SID in 2.6.1 James Lay (Nov 17)
- Re: Pass rules need SID in 2.6.1 Jeff Dell (Nov 17)
- Re: Pass rules need SID in 2.6.1 James Lay (Nov 17)
- Re: Pass rules need SID in 2.6.1 Justin Heath (Nov 17)
- Re: Pass rules need SID in 2.6.1 Frank Knobbe (Nov 19)
- Re: Pass rules need SID in 2.6.1 James Lay (Nov 17)
- Re: Pass rules need SID in 2.6.1 Jeff Dell (Nov 17)