[Snort-users] Quick Rule's Question...

Erek Adams erek at ...577...
Wed Mar 6 14:36:03 EST 2002


On Wed, 6 Mar 2002, James Hoagland wrote:

> Hello Erek,

Howdy James!

> Well, you asked...

*sigh*  I knew that would get me in trouble!  ;-)

> Not correct.  "pass" versus "alert" versus "log" only gets considered
> after the rule matches on some packet.  That is, the signature
> matching proceeds the same regardless of which of those 3 rule types
> is specified.  The parser does not do anything special with pass
> rules.  Just the signature matching code and then only after it finds
> a match.  (Order of rule application is a whole other discussion.)

Yep, I should have RTFC (Read the Friendly Code) before replying.  :)  Good
catch James!

[...snip...]

> [In Erek's tradition, let me say that I'm pretty sure what I said was
> correct, but would appreciate being clue'd in if not. :) ]

Oh god...  Now _I'm_ a _tradition_?  Why does that bring to mind a Hank
Williams Jr. song?  ;-)  Eeep!  Run Away!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list