Snort mailing list archives
pass rule or normal rule with "!"
From: Laurent <laurent_news () yahoo com>
Date: Fri, 8 Feb 2002 15:39:14 +0100 (CET)
We have a web application running on a IIS server and all the "normal" requests will have a common begining for the URL. I would like Snort to generate an alert (and log the URL) when requests not having the expected pattern are sent to the Web server. I think we have two choices : 1) writing a pass rule with "uricontent" set to the normal expected pattern. 2) writing an alerting rule with "!" before the expected pattern. Are the two solutions completely identical (for performance for example) or is there a preferred method ? Thanks, Laurent ___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.fr _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- pass rule or normal rule with "!" Laurent (Feb 08)