[Snort-users] Snort Rules

Neil Dickey neil at ...1633...
Fri Jun 8 11:06:09 EDT 2001


Colin Wu <wucolin at ...2195...> wrote in response to me:

>Don't you also need to specify the protocol?  i.e. tcp, udp, or icmp?

[ ... Snip ... ]

>> It depends.  If you are using the '-o' switch when invoking snort, then
>> pass rules have precedence over alert rules.  If you aren't, then alert
>> rules have precedence.  Check to be sure that you are using this switch.

Yup, sure do.  I didn't catch that part, and was only responding to his
question regarding the precedence of 'pass' and 'alert' rules.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115






More information about the Snort-users mailing list