Snort mailing list archives
RE: Test question
From: "Ronneil Camara" <ronneilc () remingtonltd com>
Date: Mon, 17 Dec 2001 14:57:19 -0600
Thanks Ryan,
I'll try that one. So if I didn't use -o, then the new rule must come
before the alert, am I right?
-----Original Message-----
From: Ryan Hill
Sent: Mon 12/17/2001 1:30 PM
To: Ronneil Camara
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Test question
Ronneil,
I didn't see a reply to your post, but you have a couple of
different
options including commenting out the rule with # in front of it,
or adding a
pass rule to ignore the rule when it matches given criteria
To ignore alerts for SMTP traffic, your pass rule might look
like:
pass tcp any any -> any 25 (msg:"ATTACK RESPONSES id check
returned root";
flags:A+; content: "uid=0(root)"; classtype:bad-unknown;
sid:498; rev:2;)
(Sorry for false alarms guys, needed to keep the rule content
for the
example.)
Remember, you'll want to change snort's rule processing order if
you decide
to use pass rules: snort -o
Regards,
Ryan Hill, MCSE
IT Ninja
Corporate Information Systems
TeleCommunication Systems, Inc. (TCS) -
http://www.telecomsys.com
v: 206.792.2276 - f: 206.792.2001
pgp: 0x17CE70AB
<<winmail.dat>>
Current thread:
- Re: Test question, (continued)
- Re: Test question Jose Celestino (Dec 16)
- Re: Test question Erik Fichtner (Dec 16)
- Re: Test question Greg Herlein (Dec 16)
- Re: Test question Jose Celestino (Dec 16)
- Re: Test question James (Dec 16)
- Re: Test question Ralf Hildebrandt (Dec 17)
- Re: Test question Paul Cardon (Dec 16)
- RE: Test question Ronneil Camara (Dec 16)
- RE: Test question Ryan Hill (Dec 17)
- Re: Test question Erik Fichtner (Dec 17)
- RE: Test question Ronneil Camara (Dec 17)
- Re: Test question Phil Wood (Dec 17)
- RE: Test question Ryan Hill (Dec 17)
- Re: Test question George Patterson (Dec 18)
- RE: Test question Ronneil Camara (Dec 17)
- RE: Test question Ryan Russell (Dec 18)
- RE: Test question Jim Forster (Dec 18)
- RE: Test question Ryan Russell (Dec 18)