[Snort-users] short-circuiting rules

Chris Green cmg at ...1935...
Mon Jun 30 07:58:03 EDT 2003


Peter Moody <peter at ...9047...> writes:

> Hello,
>
> I'm looking at setting up snort to ignore certain types of traffic and
> log absolutely everything else.  Essentially, I don't care about p2p
> traffic, but everything else I want logged for potential forensic
> analysis.
>
> In my test setup, I've got a pass on the traffic that I don't care
> about, and then a catch-all rule which logs everything else.  The
> problem is that, even though I've got a pass rule, it appears that the
> traffic is being captured by the later rules.  Someone mentioned
> something about a "short-circuit" directive for the rules, but I can't
> find any mention of it in the docs.  Is it possible that I just have my
> rules written incorrectly or do I need to use this directive?

You need to use the -o option to push their traffic priority
first. Try using a current CVS snapshot as quite a few bugs have been
fixed with this recently.

Snort 2.0.1 should be out shortly
-- 
Chris Green <cmg at ...1935...>
"I'm beginning to think that my router may be confused."




More information about the Snort-users mailing list