RE: [Snort-users] Problem with the -o option

Matt --

I believe I found the problem: I did a check of the policy-based rules file
located in the rules folder. I had
a hunch the file was really a symbolic link. As it turned out, it was a symbolic
link pointing to an obsolescent
file. I recreated the link to the 'real' policy-based rules file and after that
the amount of alerts dramatically
dropped off. Thanks for yours and everyone's help.

-----Original Message-----
From: Matt Kettler [mailto:mkettler@evi-inc.com]
Sent: Friday, November 05, 2004 3:37 PM
To: Kaplan, Andrew H.; Snort User Group (E-mail)
Subject: Re: [Snort-users] Problem with the -o option


At 10:50 AM 11/5/2004, Kaplan, Andrew H. wrote:
>2. The pass rules all have the <> operand between every instance of the source
>and destination. Is there anything else I need to do within
>the file?

Can you post an example of what your pass rules look like?

they should be of the format:

pass ip host1/32 any <> host2/32 any

or
pass ip net1/cidrmask1 any <> net2/cidrmask2 any

(of course, you can make the pass rule more restrictive, by specifying
source/dest ports and a protocol other than IP (ie: tcp))

pass host1 <> host2 isn't valid, as far as I know.

The last example sounds like what you're trying to describe, but I'm not
sure exactly what your pass rules look like based on your vague description.


-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users