On Wed, 3 Jul 2002 DThomazflowserve.com wrote:

> If I want to use the pass rule, where do I have to add it?

IMHO, the best way to do it would be create a 'ignore.rules' and place the
pass rule in that rules file. Then I would include that rulefile at the top
of the list of included files in snort.conf. For example:

[...snip...]

#=========================================
# Include all relevant rulesets here
#
# shellcode, policy, info, backdoor, and virus rulesets are
# disabled by default. These require tuning and maintance.
# Please read the included specific file for more information.
#=========================================

# Ignore.rules stores pass rules for hosts I wish to ignore.
include $RULE_PATH/ignore.rules

# Standard Snort Rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules

[...snip...]

And then in ignore.rules:

pass icmp <foo> any -> $HOME_NET any

> What is BPF?

BPF stands for Berkeley Packet Filter. To understand the syntax of the
filter, have a look at your local tcpdump(8) manpage.

As a note, if are seeing a lot of packets from those machines you wish to
ignore, you'll get better performance out of snort to use the a filter instead
of a pass rule. For the pass rule to work, the packet must be parsed in some
way by snort. Whereas the BPF drops it at the packet capture level and the
packets are never 'seen' by snort at all.

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net

-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
No, I will not fix your computer.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]