[Snort-users] about pass rule

Ronneil Camara ronneilc at ...4042...
Sat Jan 19 11:52:02 EST 2002


Is it just replacing the word "alert" with "pass" so that it ignores the attack?

Example.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:web-application
-attack; sid:1002; rev:2;)

  will become

pass tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:web-application
-attack; sid:1002; rev:2;)

-o is also needed. :-)

Thanks. 

Neil




More information about the Snort-users mailing list