![snort logo](/images/snort-logo.png)
Snort mailing list archives
about pass rule
From: "Ronneil Camara" <ronneilc () remingtonltd com>
Date: Sat, 19 Jan 2002 13:51:04 -0600
Is it just replacing the word "alert" with "pass" so that it ignores the attack? Example. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:web-application -attack; sid:1002; rev:2;) will become pass tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:web-application -attack; sid:1002; rev:2;) -o is also needed. :-) Thanks. Neil _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- about pass rule Ronneil Camara (Jan 19)
- Snort loggin into MySQL Warrick FitzGerald (Jan 19)
- Re: Snort loggin into MySQL Chris Keladis (Jan 19)
- Re: Snort loggin into MySQL Warrick FitzGerald (Jan 19)
- Re: Snort loggin into MySQL Chris Keladis (Jan 19)
- Snort loggin into MySQL Warrick FitzGerald (Jan 19)