Re: 1st Attempt at writing some pass rules :-)

["Keith W. McCammon" <mccammon () gmail com>]

> now, do I make a new file to hold these pass rules, or can I just stuff them in
> local.rules?

Stuff 'em in local.rules.  Or use suppress.  I'm plugging this
constantly, because it's a more precise way to deal with these
problems, requires no rule changes, and won't result in as many legit
detects being cast aside.
 
> Also, I was reading something about alerts being processed before pass rules,
> so would I need to insert something into snort.conf to make it process PASS,
> then ALERT?  Since pass means DROP, it won't do anything with the packet, even
> if it sees it, correct?

This is in the documentation.  The -o option does this.  

Some friendly advice: Read all of the documentation and FAQs prior to
posting.  Pretty much all of these things are spelled out in these
docs.  It'll save you a lot of time.


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users