[Snort-users] 1st Attempt at writing some pass rules :-)

Keith W. McCammon mccammon at ...11827...
Sun Jul 25 14:40:08 EDT 2004


> now, do I make a new file to hold these pass rules, or can I just stuff them in
> local.rules?

Stuff 'em in local.rules.  Or use suppress.  I'm plugging this
constantly, because it's a more precise way to deal with these
problems, requires no rule changes, and won't result in as many legit
detects being cast aside.
 
> Also, I was reading something about alerts being processed before pass rules,
> so would I need to insert something into snort.conf to make it process PASS,
> then ALERT?  Since pass means DROP, it won't do anything with the packet, even
> if it sees it, correct?

This is in the documentation.  The -o option does this.  

Some friendly advice: Read all of the documentation and FAQs prior to
posting.  Pretty much all of these things are spelled out in these
docs.  It'll save you a lot of time.




More information about the Snort-users mailing list