Snort mailing list archives
Re: Snort pass rules...
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 24 May 2005 14:35:27 -0400
PlanAlpha wrote:
Greetings- I'm having a problem with a couple of pass rules. Usually I get false alert (in BASE), look at the sid=n, grep for the rule, paste it into my local.rules and change alert to pass and alter the src/dst, etc.... But I'm getting some alerts on sid's without rules, like sid=2 or sid=7. I assume these are from one or more of my plugins. How do I add them to my local.rules or mimic that function?
To verify it's a plugin, look at the generator. If the generator isn't 1, it's a plugin. (you can match which plugin it is by looking at the "generators" file included with snort) If it is a non-rule generator, then you cannot fix it with a pass rule. pass rules, being rules, can only prevent alerts caused by other rules. Non-rule plugins are beyond their powers. For plugins, you can use suppress to suppress that generator/sid combo for a given IP or network. Or you can try to change the options on that plugin to prevent it from firing off when it should not. ------------------------------------------------------- This SF.Net email is sponsored by Yahoo. Introducing Yahoo! Search Developer Network - Create apps using Yahoo! Search APIs Find out how you can build Yahoo! directly into your own Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort pass rules... PlanAlpha (May 24)
- Re: Snort pass rules... Matt Kettler (May 24)