[Snort-sigs] ignore specific sid's ?

Moyer, Shawn smoyer at ...758...
Wed Aug 14 18:53:02 EDT 2002

Another thought in addition to Keith and Ian's comments (although I do 
agree with you that adding a way to create an "ignored-sids.rules" or 
somesuch would be interesting): howzabout maybe an egrep -v of all the 
distribution .rules files for the ignored sid's and then kicking all of 
the rules into a single local rules file? Not a bad way to go, and it 
would allow you to download the distribution nightly or whatever and 
still keep some site-specific config. Definitely a lot quicker than the 
old "cut / paste into local.rules, change action to pass" approach.

Nice thought on matching by SID, may give this a shot myself.


Dirk Mueller wrote:
> Hi, 
> I've a question about snort rules writing. I'd like to ignore certain "false 
> positives" of a certain rule, lets call it sid:4711. 
> I wrote something like
> pass tcp somehost theport -> any any (sid:4711;)
> But this doesn't seem to work. Is there any way to do something like that, 
> i.e. without modifying the original rule (which is fetched from the snort 
> distribution, and is therefore difficult to keep during upgrades) ?

More information about the Snort-sigs mailing list