[Snort-users] short-circuiting rules

Peter Moody peter at ...9047...
Thu Jun 26 12:49:06 EDT 2003


Hello,

I'm looking at setting up snort to ignore certain types of traffic and
log absolutely everything else.  Essentially, I don't care about p2p
traffic, but everything else I want logged for potential forensic
analysis.

In my test setup, I've got a pass on the traffic that I don't care
about, and then a catch-all rule which logs everything else.  The
problem is that, even though I've got a pass rule, it appears that the
traffic is being captured by the later rules.  Someone mentioned
something about a "short-circuit" directive for the rules, but I can't
find any mention of it in the docs.  Is it possible that I just have my
rules written incorrectly or do I need to use this directive?

here's the rules for reference:

pass tcp $ME any -> $OTHERME any (msg:"http request");
content:"HTTP/1."; nocase; classtype:policy-violation; rev:4;)

pass tcp $OTHERME any -> $ME any (msg:"http request");
content:"HTTP/1."; nocase; classtype:policy-violation; rev:4;)


log tcp $ME any -> $OTHERME any (msg: "other traffic");)

Thanks.

-Peter

-- 
Peter Moody                             <peter at ...9047...>
Information Security Administrator      831/459.5409
Communications and Technology Services. http://mustard.ucsc.edu/pubkey
UC, Santa Cruz.
:wq
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030626/68526c97/attachment.sig>


More information about the Snort-users mailing list