A question on Snort Flow tracking and Pass rules

[chintan shah <shahchintanh () gmail com>]

Hi folks

Just wanted a bit of clarification on the Snort

--- I am just trying to experiment a bit with the pass rules in Snort  . The
question is  , if we configure the pass rules , is it possible in snort to
allow the particular TCP flow to go uninspected after the pass rule has been
triggered for that flow / TCP session ?

       ## To illustrate this , if we take an example of Yahoo Messenger , I
want to allow the entire TCP session go uninspected after the signature for
Yahoo messenger ( inspecting for the string " YMSG" ) is matched . So
eventually , once the signature is matched , Snort should simply allow all
the packets of that flow to just pass thru without any further inspection
for that specific flow/session . Is that possible ?(Its the case of just
allowing yahoo messenger and denying everything else...)

--- Also wanted to know about the rule matching order of Snort . Does it go
for the rule body first and then the rule headers or vice versa?


Any help or clue on above queries would be highly appreciated .




-- 
Chintan Shah

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users