Hosting Provided By

[Snort-sigs] Pass rule problem

From: Ian Macdonald <secsnortsigs(at)dirk.demon.co.uk>
Date: Thu Feb 20 2003 - 14:06:51 EST

I have something like
pass tcp 192.168.10.10 any <> 192.168.120.10 443 (msg: "LOCAL known traffic";)
alert tcp any any -> any any (msg: "catch all rule"; classtype:policy-violation;)

the idea is that I want to log everthing that is not know traffic. However I am still getting events bing triggered by 192.168.120.10:443 -> 192.168.10.10:37797 and
192.168.10.10:37797->192.168.120.10:443
which I thought would have been bypassed by the pass rule. I am running with the -o option.

Any ideas? snort 1.9.0

This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Fri Feb 21 18:33:00 2003

This message: [ Message body ]
Next message: Detmar Liesen: "Re: [Snort-sigs] Portscan reporting"
Previous message: Carl Gibbons: "Re: [Snort-sigs] Snort 1.9 "within:" option broken? (fwd)"
Next in thread: Bart Somers: "Re: [Snort-sigs] Pass rule problem"
Reply: Bart Somers: "Re: [Snort-sigs] Pass rule problem"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:24 EDT