logto: "/dev/null"

["Hammerle, Tye F" <tye.f.hammerle () snapon com>]

I have a rule that I want to flexresp on but not log due the extreme volumes
of hits on it. From what I read with rule syntax I have to use "alert", pass
or log wouldn't have the flexresp take action. So, I added a logto:
"/dev/null" as the defined behavior fo this is to cause snort to log to this
instead of snort.alert. BUT, snort is till logging to snort.alert. 

Any ideas? is there a better way? am I misunderstanding something?

here's my rule, the flexresp is working but snort is still logging to
snort.alert.

alert tcp x.x.x.x/24 any <-> $HOME_NET any (msg: "Reset";
resp:rst_all,icmp_all;logto: "/dev/null";)



Tye

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users