[Snort-sigs] "official" pass rules & feature request

McCammon, Keith Keith.McCammon at ...647...
Fri Aug 2 10:22:01 EDT 2002


> Yes, that would implement the NOT operator.
> But i was thinking of a more complex case, when perhaps you implement
> AND, OR, etc...

Well, that's essentially in place as well.  All rule conditions within a single rule must match when AND is applied.  And every rule in the conf file (and includes) is essentially an OR.  All you have to do is understand the order of rule inspection, and place your custom files (and canned rules files) accordingly.  That, coupled with the proper pass rules and BPF statements should be sufficient to make your IDS more manageable and accurate.

Cheers

Keith 




More information about the Snort-sigs mailing list