[Snort-sigs] Help on an ICMP rule: sid 486
droelker at ...435...
Wed Aug 25 15:23:02 EDT 2004
On Wed, 2004-08-25 at 17:48, Brian wrote:
> I've seen people add the following rule, expecting snort to no longer
> alert on tcp traffic generated from their hosts:
> pass tcp $HOME_NET any -> $EXTERNAL_NET any
> Now, what do you think this will do to snort if you have left HOME_NET
> and EXTERNAL_NET configured as they are by default?
Well, you just eliminated all your TCP false positives. Isn't that
More information about the Snort-sigs