[Snort-users] pass rule or normal rule with "!"

Laurent laurent_news at ...131...
Fri Feb 8 06:40:06 EST 2002

We have a web application running on a IIS server and
all the "normal" requests will have a common begining
for the URL.
I would like Snort to generate an alert (and log the
URL) when requests not having the expected pattern are
sent to the Web server.

I think we have two choices :

1) writing a pass rule with "uricontent" set to the
normal expected pattern.

2) writing an alerting rule with "!" before the
expected pattern.

Are the two solutions completely identical (for
performance for example) or is there a preferred
method ?



Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français !
Yahoo! Mail : http://fr.mail.yahoo.fr

More information about the Snort-users mailing list