Snort rule "pass" not working right with -o option...

["Sekurity Wizard" <s.wizard () boundariez com>]

Greetings all,
 I'm trying to use the -o option together with the pass directive in my rule set to safely 'ignore' traffic which snort 
would normally alert on which I know is false-positive.  For example, truncated TCP options...we have two hosts that no 
matter what we do, they always talk (properly) and trigger the 'Truncated TCP Options' alert in the 
"bad-traffic.rules".  I've added the -o switch to the command line to my SNORT 2.0.1 install, and added a FP.rules file 
which I've added to my snort.conf file for processing.  Now, all other rules appear to be working OK, but that pass 
rule doesn't appear to be doing its job.  Maybe I'm understanding the function wrong, but...shouldn't snort go 
pass->alert->log and see the pass rule, see my traffic, and subsequently pass the traffic and *not* alert on it?!

Please advise, trying to get this working...
 s.Wizard


-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users