[Snort-sigs] Help on an ICMP rule: sid 486

Daniel Roelker droelker at ...435...
Wed Aug 25 15:23:02 EDT 2004

On Wed, 2004-08-25 at 17:48, Brian wrote:
> I've seen people add the following rule, expecting snort to no longer
> alert on tcp traffic generated from their hosts:
>     pass tcp $HOME_NET any -> $EXTERNAL_NET any 
> Now, what do you think this will do to snort if you have left HOME_NET
> and EXTERNAL_NET configured as they are by default? 

Well, you just eliminated all your TCP false positives.  Isn't that
good?  :)

Daniel Roelker
Software Developer
Sourcefire, Inc.

More information about the Snort-sigs mailing list