RE: [Snort-users] Rules Question
This is a discussion on RE: [Snort-users] Rules Question within the Snort forums, part of the System Security and Security Related category; Check your rules order. By default it is alert -> pass -> log -> etc... Try adding the flag -o ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-25-2005
|
|||
|
|||
RE: [Snort-users] Rules Question
Check your rules order. By default it is alert -> pass -> log -> etc...
Try adding the flag -o to your command line options when starting snort. Cheers, Jeff > -----Original Message----- > From: snort-users-admin@lists.sourceforge.net > [mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of > Roy Kidder > Sent: Friday, February 25, 2005 8:26 AM > To: snort-users@lists.sourceforge.net > Subject: [Snort-users] Rules Question > > I'm trying to write what I expected to be a simple set rules, > but it's not > working for me. They look like this: > > pass udp any any <> 10.0.0.10 53 > pass udp any any <> 192.168.1.5 53 > alert udp any any <> any 53 (msg: "DNS Query";) > > What I expected was to alert on any DNS queries except those > to 10.0.0.10 or > to 192.168.1.5. Instead, I'm seeing alerts on everything > including those two > hosts. > > Any pointers on what I did wrong? > > Thanks in advance, > Roy > > > Roy Kidder > Network Engineer > Safelite Glass Corp. > > > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from > real users. > Discover which products truly live up to the hype. Start reading now. > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...st=snort-users > ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
