[Snort-users] Quick Rule's Question...
erek at ...577...
Wed Mar 6 14:36:03 EST 2002
On Wed, 6 Mar 2002, James Hoagland wrote:
> Hello Erek,
> Well, you asked...
*sigh* I knew that would get me in trouble! ;-)
> Not correct. "pass" versus "alert" versus "log" only gets considered
> after the rule matches on some packet. That is, the signature
> matching proceeds the same regardless of which of those 3 rule types
> is specified. The parser does not do anything special with pass
> rules. Just the signature matching code and then only after it finds
> a match. (Order of rule application is a whole other discussion.)
Yep, I should have RTFC (Read the Friendly Code) before replying. :) Good
> [In Erek's tradition, let me say that I'm pretty sure what I said was
> correct, but would appreciate being clue'd in if not. :) ]
Oh god... Now _I'm_ a _tradition_? Why does that bring to mind a Hank
Williams Jr. song? ;-) Eeep! Run Away!
More information about the Snort-users