[Snort-users] short-circuiting rules
cmg at ...1935...
Mon Jun 30 07:58:03 EDT 2003
Peter Moody <peter at ...9047...> writes:
> I'm looking at setting up snort to ignore certain types of traffic and
> log absolutely everything else. Essentially, I don't care about p2p
> traffic, but everything else I want logged for potential forensic
> In my test setup, I've got a pass on the traffic that I don't care
> about, and then a catch-all rule which logs everything else. The
> problem is that, even though I've got a pass rule, it appears that the
> traffic is being captured by the later rules. Someone mentioned
> something about a "short-circuit" directive for the rules, but I can't
> find any mention of it in the docs. Is it possible that I just have my
> rules written incorrectly or do I need to use this directive?
You need to use the -o option to push their traffic priority
first. Try using a current CVS snapshot as quite a few bugs have been
fixed with this recently.
Snort 2.0.1 should be out shortly
Chris Green <cmg at ...1935...>
"I'm beginning to think that my router may be confused."
More information about the Snort-users