[Snort-users] Snort Rules
neil at ...1633...
Fri Jun 8 11:06:09 EDT 2001
Colin Wu <wucolin at ...2195...> wrote in response to me:
>Don't you also need to specify the protocol? i.e. tcp, udp, or icmp?
[ ... Snip ... ]
>> It depends. If you are using the '-o' switch when invoking snort, then
>> pass rules have precedence over alert rules. If you aren't, then alert
>> rules have precedence. Check to be sure that you are using this switch.
Yup, sure do. I didn't catch that part, and was only responding to his
question regarding the precedence of 'pass' and 'alert' rules.
Neil Dickey, Ph.D.
Northern Illinois University
More information about the Snort-users