Snort mailing list archives

Previous By Date Next
Previous By Thread Next

pass rule or normal rule with "!"

From: Laurent <laurent_news () yahoo com>
Date: Fri, 8 Feb 2002 15:39:14 +0100 (CET)
We have a web application running on a IIS server and
all the "normal" requests will have a common begining
for the URL.
I would like Snort to generate an alert (and log the
URL) when requests not having the expected pattern are
sent to the Web server.

I think we have two choices :

1) writing a pass rule with "uricontent" set to the
normal expected pattern.

2) writing an alerting rule with "!" before the
expected pattern.

Are the two solutions completely identical (for
performance for example) or is there a preferred
method ?

Thanks,

Laurent 

___________________________________________________________
Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français !
Yahoo! Mail : http://fr.mail.yahoo.fr

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: