[Snort-sigs] if match on rule don't log or something like tha t

Federico Castañeda F_CASTANEDA at ...2024...
Tue Dec 16 06:53:03 EST 2003


Alex:

Check if you are using the snort option:

	-o         Change the rule testing order to Pass|Alert|Log

This will priorize the pass rules before the alert rules nad must resolve
your problem.

Saludos,

-----Original Message-----
From: Alexandru Balan [mailto:jay at ...1722...]
Sent: Tuesday, December 16, 2003 11:20 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] if match on rule don't log or something like that



	Hello, i'm getting a lot of false positives on a few of the rules
and
i'd like to customise them like the following example: 

let's say i have server x which generates most false positives and i
want to ignore matches on some signature if the packets are directed to
him. 
I tried adding another include $rule_path/server.x/false-positives.rules
in which i added the signature with "pass" ( the manual said pass
ignores the packet ). But still the packet is matched on the default
rule ( alert $ANY - > $MY_HOME_NET ..signature ( which includes that
server  ). 

I'm terribly sorry for my poor exprimation. I'm jus trying to ignore
matches to some hosts using a "false-positives.rules" file included in
snort.conf

-- 
Jay
Public GnuPG key AAB551A4 available at
http://www.ines.ro/public_keys/jay.gpg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20031216/dda0bd58/attachment.html>


More information about the Snort-sigs mailing list