Snort mailing list archives

Re: Snort Rules

From: Neil Dickey <neil () geol niu edu>
Date: Fri, 8 Jun 2001 10:06:09 -0500 (CDT)


Colin Wu <wucolin () McMaster CA> wrote in response to me:

Don't you also need to specify the protocol?  i.e. tcp, udp, or icmp?


[ ... Snip ... ]

It depends.  If you are using the '-o' switch when invoking snort, then
pass rules have precedence over alert rules.  If you aren't, then alert
rules have precedence.  Check to be sure that you are using this switch.


Yup, sure do.  I didn't catch that part, and was only responding to his
question regarding the precedence of 'pass' and 'alert' rules.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort Rules Brian Carpio (Jun 07)
- <Possible follow-ups>
- Re: Snort Rules Neil Dickey (Jun 07)
  - Re: Snort Rules Colin Wu (Jun 07)
    - Re: Snort Rules Brian Carpio (Jun 08)
- Re: Snort Rules Neil Dickey (Jun 08)