[Snort-users] Pass rule not passing preprocessors

From: Always Bishan <bishan4u(at)yahoo.co.uk>
Date: Sun Apr 20 2003 - 03:20:21 EDT

Hi Snorters,

I wrote a pass rule which will pass anything coming from one machine.
pass tcp 192.168.1.2 -> any any
pass icmp 192.168.1.2 -> any any
pass udp 192.168.1.2 -> any any

now I run nessus scanner from 192.168.1.2, after the scan when I viewed the alerts from my ACID. It still gave me alerts coming from preprocessors like spp_stream4 and spp_bo. But the alerts in the rule file didn't come up which use to come up when there was no pass rule for 192.168.1.2.

Now by writing this pass rule I'm able to avoid any alerts from my rules directory, but preprocessors are still generating alerts.

Is there anyway to avoid this?

Regards,
Bishan

*Note: I did use -o option at snort start up

---

Celebrating Happiness
email: bishan@sumerusolutions.com
company: www.sumerusolutions.com

---

Yahoo! Plus
For a better Internet experience
http://www.yahoo.co.uk/btoffer

---

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

---

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users Received on Sun Apr 20 04:11:33 2003