OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Brian Carpio (carb02csgsystems.com)
Date: Fri Jun 08 2001 - 10:17:01 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Thanks for the info it was the -o option that i was missing..

    Also i made a typo in my post and i was specifying icmp

    pass icmp 205.144.151.100/32 any -> 205.144.151.83/32 any

    Thanks

    Brian Carpio

    On Thu, 7 Jun 2001, Colin Wu wrote:

    > Don't you also need to specify the protocol? i.e. tcp, udp, or icmp?
    >
    > pass tcp 205.144.151.100/32 any -> 205.144.151.83/32 any
    > pass udp 205.144.151.100/32 any -> 205.144.151.83/32 any
    >
    > Neil Dickey wrote:
    >
    > > Brian Carpio <carb02csgsystems.com>wrote asking:
    > >
    > > >I have created a rule
    > > >
    > > >pass 205.144.151.100/32 any -> 205.144.151.83/32 any
    > > >
    > > >
    > > >but messages are still getting recored in the /var/adm/messages from ICMP
    > > >Requests from this box.. what's wrong with my rule?? does the order of
    > > >rules in the snort.conf file regulate this?? Which takes presence a pass
    > > >rule or an alert rule??
    > >
    > > It depends. If you are using the '-o' switch when invoking snort, then
    > > pass rules have precedence over alert rules. If you aren't, then alert
    > > rules have precedence. Check to be sure that you are using this switch.
    > >
    > > Best regards,
    > >
    > > Neil Dickey, Ph.D.
    > > Research Associate/Sysop
    > > Geology Department
    > > Northern Illinois University
    > > DeKalb, Illinois
    > > 60115
    > >
    > > _______________________________________________
    > > Snort-users mailing list
    > > Snort-userslists.sourceforge.net
    > > Go to this URL to change user options or unsubscribe:
    > > http://lists.sourceforge.net/lists/listinfo/snort-users
    > > Snort-users list archive:
    > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
    >
    > --
    > Colin Wu
    >
    >
    >
    > _______________________________________________
    > Snort-users mailing list
    > Snort-userslists.sourceforge.net
    > Go to this URL to change user options or unsubscribe:
    > http://lists.sourceforge.net/lists/listinfo/snort-users
    > Snort-users list archive:
    > http://www.geocrawler.com/redir-sf.php3?list=snort-users
    >

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    http://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users