Bypassing default snort rules in order allowing local traffic. I have snort runs on router, it works well, however I have a puzzling getting bypassing the default snort rules. According to the documentation, a rule action "pass" should solve it, but I never get any glimpse of this rules in the logging outcome. This are the rules:
log udp [192.168.1.170,192.168.1.169,192.168.1.168] 3483 <> 255.255.255.255 3483 (content:"ff|ff|ff|ff|ff|ff",nocase; flow:stateless; sid:1000099; rev:1;)
pass udp [192.168.1.170,192.168.1.169,192.168.1.168] 3483 <> 255.255.255.255 3483 (content:"ff|ff|ff|ff|ff|ff",nocase; flow:stateless; sid:1000098; rev:1;)
Even shorter version won't work.
log udp [192.168.1.170,192.168.1.169,192.168.1.168] 3483 <> 255.255.255.255 3483 (priority:1; sid:1000099; rev:1;)
pass udp [192.168.1.170,192.168.1.169,192.168.1.168] 3483 <> 255.255.255.255 3483 (priority:1; sid:1000098; rev:1;)
In the log file, no trace of any action, however the default snort rule basically holds the traffic for this IP's about a minute, then works for another minute, and holds again. I couldn't find any information regarding my case. Prioritization didn't work, maybe the rule needs to be loaded up front, but I couldn't find any solution on that.
Snort 3.1.82.0.