Snort mailing list archives

Re: short-circuiting rules

From: twig les <twigles () yahoo com>
Date: Thu, 26 Jun 2003 12:54:12 -0700 (PDT)

The short-circuit could have referred to starting snort with the
-o parameter.

--- Peter Moody <peter () ucsc edu> wrote:

Hello,

I'm looking at setting up snort to ignore certain types of
traffic and
log absolutely everything else.  Essentially, I don't care
about p2p
traffic, but everything else I want logged for potential
forensic
analysis.

In my test setup, I've got a pass on the traffic that I don't
care
about, and then a catch-all rule which logs everything else. 
The
problem is that, even though I've got a pass rule, it appears
that the
traffic is being captured by the later rules.  Someone
mentioned
something about a "short-circuit" directive for the rules, but
I can't
find any mention of it in the docs.  Is it possible that I
just have my
rules written incorrectly or do I need to use this directive?

here's the rules for reference:

pass tcp $ME any -> $OTHERME any (msg:"http request");
content:"HTTP/1."; nocase; classtype:policy-violation; rev:4;)

pass tcp $OTHERME any -> $ME any (msg:"http request");
content:"HTTP/1."; nocase; classtype:policy-violation; rev:4;)


log tcp $ME any -> $OTHERME any (msg: "other traffic");)

Thanks.

-Peter

-- 
Peter Moody                             <peter () ucsc edu>
Information Security Administrator      831/459.5409
Communications and Technology Services.
http://mustard.ucsc.edu/pubkey
UC, Santa Cruz.
:wq

ATTACHMENT part 2 application/pgp-signature name=signature.asc




=====
-----------------------------------------------------------
Emo is what happens when the glee club goes punk.       
-----------------------------------------------------------

__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com


-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

short-circuiting rules Peter Moody (Jun 26)
- Re: short-circuiting rules twig les (Jun 26)
- Re: short-circuiting rules Chris Green (Jun 30)