[Snort-sigs] ignore specific sid's ?

Dirk Mueller dmuell at ...433...
Tue Aug 13 14:01:02 EDT 2002


I've a question about snort rules writing. I'd like to ignore certain "false 
positives" of a certain rule, lets call it sid:4711. 

I wrote something like

pass tcp somehost theport -> any any (sid:4711;)

But this doesn't seem to work. Is there any way to do something like that, 
i.e. without modifying the original rule (which is fetched from the snort 
distribution, and is therefore difficult to keep during upgrades) ?

Dirk (received 870 mails today)

