[Snort-users] -o and pass/alert/log usage

Tony Lill ajlill at ...1676...
Thu Jun 28 18:57:36 EDT 2001


>>>>> "Paul" == Paul Sheahan <Sheahan> writes:


    Paul> I was told in another post that it doesn't matter WHERE the
    Paul> pass rules are in any of the .rules files, and it doesn't
    Paul> matter in what order the rules files are included in
    Paul> snort.conf. If you use the -o option, all pass rules are
    Paul> taken into account first, then alerts. If this is wrong, I'd
    Paul> like to know so I get it straight too!

That's how it's supposed to work. However, if you are using 1.7,
there's some bug with include directives that makes this not so, and I
had to move my pass rules before including all the snort rules to work
around it.

I really have to find some time to verify whether or not it exists in
the current CVS source.
--
Tony Lill,                         Tony.Lill at ...1685...
President, A. J. Lill Consultants        fax/data (519) 650 3571
539 Grand Valley Dr., Cambridge, Ont. N3H 2S2     (519) 241 2461
--------------- http://www.ajlc.waterloo.on.ca/ ----------------
"Welcome to All Things UNIX, where if it's not UNIX, it's CRAP!"




More information about the Snort-users mailing list