[Snort-devel] [Bug #131641] include directives do not work right.

shawn . moyer shawn at ...232...
Fri Feb 9 02:39:50 EST 2001


Martin Roesch wrote:
> 
> I'm having a hard time making sense of this bug report, does anyone else
> know what it's saying?  Is this person trying to detect IDS152 or pass
> it?  From the description below it appears that everything is working
> fine (i.e. pass rules are considered before alert rules when -o is
> specified, regardless of relative ordering of the rules).

If I'm reading this right, it sounds like when he / she puts a pass rule
in a separate file called from vision.conf (or whatever) via "include
<foo>" the pass rule doesn't trigger, but if it's put directly in the
main config (vision.conf in this case) pass will trigger, and the alert
won't. 

My pass rules are all in a main snort.conf which then has "include" for
various -lib files, which works fine. Would having "include" get hit
after everything in the main config, even with -o?




--shawn

-- 
s h a w n   m o y e r
shawn at ...232...




More information about the Snort-devel mailing list