|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: RE: [snort] What is the purpose of PASS action
From: Mullen, Patrick (Patrick.Mullen
GD-CS.COM)Date: Mon Mar 20 2000 - 11:57:15 CST
- Next message: Max Vision: "Re: [snort] A way to improve the signatures."
- Previous message: Martin Roesch: "Re: [snort] Top 5 best and worst things about snort"
- Maybe in reply to: Eric Paschoalick Chaves: "[snort] What is the purpose of PASS action"
- Maybe reply: Mullen, Patrick: "RE: [snort] What is the purpose of PASS action"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> What is the purpose of the PASS action, since it will trigger nothing
> in the IDS ? What kind of usefull rule could be wrote with this action?
Pass rules are to allow specific exceptions to a rule through without
causing an alert.
Crappy example, but in plain English (I hope) --
You want any TCP connection attempts to port 53 on serverA to trigger
an alarm, unless is it from serverB.
You would use the -o option to reverse the order of rules to pass, alert,
log (I think. The important part is pass is first) and use --
pass serverB connecting to TCP port 53 on serverA
alert anyone connecting to TCP port 53 on serverA
Hope this helps,
~Patrick
- Next message: Max Vision: "Re: [snort] A way to improve the signatures."
- Previous message: Martin Roesch: "Re: [snort] Top 5 best and worst things about snort"
- Maybe in reply to: Eric Paschoalick Chaves: "[snort] What is the purpose of PASS action"
- Maybe reply: Mullen, Patrick: "RE: [snort] What is the purpose of PASS action"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]