[Snort-sigs] ignore specific sid's ?

Ian Macdonald secsnortsigs at ...644...
Tue Aug 13 14:34:04 EDT 2002


also look at oinkmaster

Ian
----- Original Message -----
From: "McCammon, Keith" <Keith.McCammon at ...647...>
To: "Dirk Mueller" <dmuell at ...433...>; <snort-sigs at lists.sourceforge.net>
Sent: Tuesday, August 13, 2002 5:11 PM
Subject: RE: [Snort-sigs] ignore specific sid's ?


> You can just copy the alert rule to local.rules, and change alert to pass.
you obviously shouldn't get a new copy of local.rules every time you extract
and replace the distribution.
>
> > -----Original Message-----
> > From: Dirk Mueller [mailto:dmuell at ...433...]
> > Sent: Tuesday, August 13, 2002 5:00 PM
> > To: snort-sigs at lists.sourceforge.net
> > Subject: [Snort-sigs] ignore specific sid's ?
> >
> >
> > Hi,
> >
> > I've a question about snort rules writing. I'd like to ignore
> > certain "false
> > positives" of a certain rule, lets call it sid:4711.
> >
> > I wrote something like
> >
> > pass tcp somehost theport -> any any (sid:4711;)
> >
> >
> > But this doesn't seem to work. Is there any way to do
> > something like that,
> > i.e. without modifying the original rule (which is fetched
> > from the snort
> > distribution, and is therefore difficult to keep during upgrades) ?
> >
> >
> >
> > --
> > Dirk (received 870 mails today)
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by: Dice - The leading online job board
> > for high-tech professionals. Search and apply for tech jobs today!
> > http://seeker.dice.com/seeker.epl?rel_code=31
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by: Dice - The leading online job board
> for high-tech professionals. Search and apply for tech jobs today!
> http://seeker.dice.com/seeker.epl?rel_code1
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>





More information about the Snort-sigs mailing list