[Snort-users] Pass rule not passing preprocessors
bet at ...6163...
Sun Apr 20 10:20:04 EDT 2003
2003-04-20T03:20:21 Always Bishan:
> Now by writing this pass rule I'm able to avoid any
> alerts from my rules directory, but preprocessors are
> still generating alerts.
That's right. Preprocessors are applied before rules --- including
> Is there anyway to avoid this?
There are only two possible ways to blind preprocessors to certain
traffic. For certain preprocessors (e.g. portscan, portscan2)
there's a corresponding "-ignorehosts" preprocessor
(portscan-ignorehosts, portscan2-ignorehosts respectively) that
allows blinding just that preprocessor to a list of hosts.
The other approach can blind all of snort --- all preprocessors, all
rules, everything --- to specific traffic; that's to use a bpf
filter. These can be specified on the cmdline (that's the optional
"expression" that can be at the end of the cmdline), or in a file
named by the -F option on the cmdline. Pack filtering specified by
BPF rules happens before snort sees the packets, to it completely
blinds snort to whatever the rules elect to drop.
I dabbled a bit with the above, but I ended up disabling the
preprocessors that were inflicting false-positives on me.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
More information about the Snort-users