Snort mailing list archives
Snort rule "pass" not working right with -o option...
From: "Sekurity Wizard" <s.wizard () boundariez com>
Date: Wed, 14 Jan 2004 20:20:29 -0500
Greetings all, I'm trying to use the -o option together with the pass directive in my rule set to safely 'ignore' traffic which snort would normally alert on which I know is false-positive. For example, truncated TCP options...we have two hosts that no matter what we do, they always talk (properly) and trigger the 'Truncated TCP Options' alert in the "bad-traffic.rules". I've added the -o switch to the command line to my SNORT 2.0.1 install, and added a FP.rules file which I've added to my snort.conf file for processing. Now, all other rules appear to be working OK, but that pass rule doesn't appear to be doing its job. Maybe I'm understanding the function wrong, but...shouldn't snort go pass->alert->log and see the pass rule, see my traffic, and subsequently pass the traffic and *not* alert on it?! Please advise, trying to get this working... s.Wizard ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort rule "pass" not working right with -o option... Sekurity Wizard (Jan 14)