[Snort-sigs] Help on an ICMP rule: sid 486

Daniel Roelker droelker at ...435...
Wed Aug 25 15:23:02 EDT 2004


On Wed, 2004-08-25 at 17:48, Brian wrote:
> I've seen people add the following rule, expecting snort to no longer
> alert on tcp traffic generated from their hosts:
> 
>     pass tcp $HOME_NET any -> $EXTERNAL_NET any 
> 
> Now, what do you think this will do to snort if you have left HOME_NET
> and EXTERNAL_NET configured as they are by default? 
> 

Well, you just eliminated all your TCP false positives.  Isn't that
good?  :)

-- 
Daniel Roelker
Software Developer
Sourcefire, Inc.





More information about the Snort-sigs mailing list