Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Logging "pass" rules that are hit

From: Russ via Snort-users <snort-users () lists snort org>
Date: Mon, 25 Jun 2018 17:49:16 -0400
Hey Dave,
"pass" rules don't log but you should be able to define your own rule type that does what you want.  Check the ruletype keyword in section 3.2.1 of the manual. 

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node29.html

Hope that helps.
Russ

On 6/21/18 4:12 PM, Dave Osbourne wrote:

Hi,
I'm tying to debug a pcre match in a pass rule, but apart from inferring it's working when it doesn't fail I can seem to figure out how to get snort to LOG pass rules that it finds... (so that I know which rule is passing). 

My most basic test is to set

    output alert_fast: stdout

call snort like:

    /usr/local/bin/snort -c /etc/snort/snortdelme.conf -Q -i eth1:eth2

I'm (against most basically) matching a SYN packet:
        pass tcp  0.0.0.0/0 any -> 192.168.X.Y 1433 (msg:"pass message"; flags: S; dsize: 0; sid:1000;)         log tcp  0.0.0.0/0 any -> 192.168.X.Y 1433 (msg:"log message"; flags: S; dsize: 0; sid:2000;)
I know the packet is flowing through the bridge - because if I change pass/log to reject I see a message and the packet is blocked. 

I just can't figure out how to make pass appear in the log!

Dave


_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette



_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: