short-circuiting rules

[Peter Moody <peter () ucsc edu>]

Hello,

I'm looking at setting up snort to ignore certain types of traffic and
log absolutely everything else.  Essentially, I don't care about p2p
traffic, but everything else I want logged for potential forensic
analysis.

In my test setup, I've got a pass on the traffic that I don't care
about, and then a catch-all rule which logs everything else.  The
problem is that, even though I've got a pass rule, it appears that the
traffic is being captured by the later rules.  Someone mentioned
something about a "short-circuit" directive for the rules, but I can't
find any mention of it in the docs.  Is it possible that I just have my
rules written incorrectly or do I need to use this directive?

here's the rules for reference:

pass tcp $ME any -> $OTHERME any (msg:"http request");
content:"HTTP/1."; nocase; classtype:policy-violation; rev:4;)

pass tcp $OTHERME any -> $ME any (msg:"http request");
content:"HTTP/1."; nocase; classtype:policy-violation; rev:4;)


log tcp $ME any -> $OTHERME any (msg: "other traffic");)

Thanks.

-Peter

-- 
Peter Moody                             <peter () ucsc edu>
Information Security Administrator      831/459.5409
Communications and Technology Services. http://mustard.ucsc.edu/pubkey
UC, Santa Cruz.
:wq

Attachment: signature.asc
Description: This is a digitally signed message part