[Snort-sigs] ignore specific sid's ?

McCammon, Keith Keith.McCammon at ...647...
Tue Aug 13 14:12:04 EDT 2002


You can just copy the alert rule to local.rules, and change alert to pass.  you obviously shouldn't get a new copy of local.rules every time you extract and replace the distribution.

> -----Original Message-----
> From: Dirk Mueller [mailto:dmuell at ...433...]
> Sent: Tuesday, August 13, 2002 5:00 PM
> To: snort-sigs at lists.sourceforge.net
> Subject: [Snort-sigs] ignore specific sid's ?
> 
> 
> Hi, 
> 
> I've a question about snort rules writing. I'd like to ignore 
> certain "false 
> positives" of a certain rule, lets call it sid:4711. 
> 
> I wrote something like
> 
> pass tcp somehost theport -> any any (sid:4711;)
> 
> 
> But this doesn't seem to work. Is there any way to do 
> something like that, 
> i.e. without modifying the original rule (which is fetched 
> from the snort 
> distribution, and is therefore difficult to keep during upgrades) ?
> 
> 
> 
> -- 
> Dirk (received 870 mails today)
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: Dice - The leading online job board
> for high-tech professionals. Search and apply for tech jobs today!
> http://seeker.dice.com/seeker.epl?rel_code=31
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 




More information about the Snort-sigs mailing list