[Snort-sigs] ignore specific sid's ?
dmuell at ...433...
Tue Aug 13 14:01:02 EDT 2002
I've a question about snort rules writing. I'd like to ignore certain "false
positives" of a certain rule, lets call it sid:4711.
I wrote something like
pass tcp somehost theport -> any any (sid:4711;)
But this doesn't seem to work. Is there any way to do something like that,
i.e. without modifying the original rule (which is fetched from the snort
distribution, and is therefore difficult to keep during upgrades) ?
Dirk (received 870 mails today)
More information about the Snort-sigs