[Snort-users] short-circuiting rules

twig les twigles at ...131...
Thu Jun 26 12:56:17 EDT 2003


The short-circuit could have referred to starting snort with the
-o parameter.

--- Peter Moody <peter at ...9047...> wrote:
> Hello,
> 
> I'm looking at setting up snort to ignore certain types of
> traffic and
> log absolutely everything else.  Essentially, I don't care
> about p2p
> traffic, but everything else I want logged for potential
> forensic
> analysis.
> 
> In my test setup, I've got a pass on the traffic that I don't
> care
> about, and then a catch-all rule which logs everything else. 
> The
> problem is that, even though I've got a pass rule, it appears
> that the
> traffic is being captured by the later rules.  Someone
> mentioned
> something about a "short-circuit" directive for the rules, but
> I can't
> find any mention of it in the docs.  Is it possible that I
> just have my
> rules written incorrectly or do I need to use this directive?
> 
> here's the rules for reference:
> 
> pass tcp $ME any -> $OTHERME any (msg:"http request");
> content:"HTTP/1."; nocase; classtype:policy-violation; rev:4;)
> 
> pass tcp $OTHERME any -> $ME any (msg:"http request");
> content:"HTTP/1."; nocase; classtype:policy-violation; rev:4;)
> 
> 
> log tcp $ME any -> $OTHERME any (msg: "other traffic");)
> 
> Thanks.
> 
> -Peter
> 
> -- 
> Peter Moody                             <peter at ...9047...>
> Information Security Administrator      831/459.5409
> Communications and Technology Services.
> http://mustard.ucsc.edu/pubkey
> UC, Santa Cruz.
> :wq
> 

> ATTACHMENT part 2 application/pgp-signature name=signature.asc



=====
-----------------------------------------------------------
Emo is what happens when the glee club goes punk.       
-----------------------------------------------------------

__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com




More information about the Snort-users mailing list