Snort mailing list archives
RE: Test question
From: "Ronneil Camara" <ronneilc () remingtonltd com>
Date: Mon, 17 Dec 2001 14:57:19 -0600
Thanks Ryan, I'll try that one. So if I didn't use -o, then the new rule must come before the alert, am I right? -----Original Message----- From: Ryan Hill Sent: Mon 12/17/2001 1:30 PM To: Ronneil Camara Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Test question Ronneil, I didn't see a reply to your post, but you have a couple of different options including commenting out the rule with # in front of it, or adding a pass rule to ignore the rule when it matches given criteria To ignore alerts for SMTP traffic, your pass rule might look like: pass tcp any any -> any 25 (msg:"ATTACK RESPONSES id check returned root"; flags:A+; content: "uid=0(root)"; classtype:bad-unknown; sid:498; rev:2;) (Sorry for false alarms guys, needed to keep the rule content for the example.) Remember, you'll want to change snort's rule processing order if you decide to use pass rules: snort -o Regards, Ryan Hill, MCSE IT Ninja Corporate Information Systems TeleCommunication Systems, Inc. (TCS) - http://www.telecomsys.com v: 206.792.2276 - f: 206.792.2001 pgp: 0x17CE70AB
<<winmail.dat>>
Current thread:
- Re: Test question, (continued)
- Re: Test question Jose Celestino (Dec 16)
- Re: Test question Erik Fichtner (Dec 16)
- Re: Test question Greg Herlein (Dec 16)
- Re: Test question Jose Celestino (Dec 16)
- Re: Test question James (Dec 16)
- Re: Test question Ralf Hildebrandt (Dec 17)
- Re: Test question Paul Cardon (Dec 16)
- RE: Test question Ronneil Camara (Dec 16)
- RE: Test question Ryan Hill (Dec 17)
- Re: Test question Erik Fichtner (Dec 17)
- RE: Test question Ronneil Camara (Dec 17)
- Re: Test question Phil Wood (Dec 17)
- RE: Test question Ryan Hill (Dec 17)
- Re: Test question George Patterson (Dec 18)
- RE: Test question Ronneil Camara (Dec 17)
- RE: Test question Ryan Russell (Dec 18)
- RE: Test question Jim Forster (Dec 18)
- RE: Test question Ryan Russell (Dec 18)