OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: RE: [snort] What is the purpose of PASS action
From: Mullen, Patrick (Patrick.MullenGD-CS.COM)
Date: Mon Mar 20 2000 - 11:57:15 CST


> What is the purpose of the PASS action, since it will trigger nothing
> in the IDS ? What kind of usefull rule could be wrote with this action?

Pass rules are to allow specific exceptions to a rule through without
causing an alert.

Crappy example, but in plain English (I hope) --

You want any TCP connection attempts to port 53 on serverA to trigger
an alarm, unless is it from serverB.

You would use the -o option to reverse the order of rules to pass, alert,
log (I think. The important part is pass is first) and use --

pass serverB connecting to TCP port 53 on serverA
alert anyone connecting to TCP port 53 on serverA

Hope this helps,

~Patrick