Snort mailing list archives
short-circuiting rules
From: Peter Moody <peter () ucsc edu>
Date: 26 Jun 2003 12:19:11 -0700
Hello, I'm looking at setting up snort to ignore certain types of traffic and log absolutely everything else. Essentially, I don't care about p2p traffic, but everything else I want logged for potential forensic analysis. In my test setup, I've got a pass on the traffic that I don't care about, and then a catch-all rule which logs everything else. The problem is that, even though I've got a pass rule, it appears that the traffic is being captured by the later rules. Someone mentioned something about a "short-circuit" directive for the rules, but I can't find any mention of it in the docs. Is it possible that I just have my rules written incorrectly or do I need to use this directive? here's the rules for reference: pass tcp $ME any -> $OTHERME any (msg:"http request"); content:"HTTP/1."; nocase; classtype:policy-violation; rev:4;) pass tcp $OTHERME any -> $ME any (msg:"http request"); content:"HTTP/1."; nocase; classtype:policy-violation; rev:4;) log tcp $ME any -> $OTHERME any (msg: "other traffic");) Thanks. -Peter -- Peter Moody <peter () ucsc edu> Information Security Administrator 831/459.5409 Communications and Technology Services. http://mustard.ucsc.edu/pubkey UC, Santa Cruz. :wq
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- short-circuiting rules Peter Moody (Jun 26)
- Re: short-circuiting rules twig les (Jun 26)
- Re: short-circuiting rules Chris Green (Jun 30)