Snort mailing list archives
Re: 1st Attempt at writing some pass rules :-)
From: "Keith W. McCammon" <mccammon () gmail com>
Date: Sun, 25 Jul 2004 17:39:38 -0400
now, do I make a new file to hold these pass rules, or can I just stuff them in local.rules?
Stuff 'em in local.rules. Or use suppress. I'm plugging this constantly, because it's a more precise way to deal with these problems, requires no rule changes, and won't result in as many legit detects being cast aside.
Also, I was reading something about alerts being processed before pass rules, so would I need to insert something into snort.conf to make it process PASS, then ALERT? Since pass means DROP, it won't do anything with the packet, even if it sees it, correct?
This is in the documentation. The -o option does this. Some friendly advice: Read all of the documentation and FAQs prior to posting. Pretty much all of these things are spelled out in these docs. It'll save you a lot of time. ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- 1st Attempt at writing some pass rules :-) dogbert (Jul 23)
- Re: 1st Attempt at writing some pass rules :-) Keith W. McCammon (Jul 25)