[Snort-users] 1st Attempt at writing some pass rules :-)
Keith W. McCammon
mccammon at ...11827...
Sun Jul 25 14:40:08 EDT 2004
> now, do I make a new file to hold these pass rules, or can I just stuff them in
Stuff 'em in local.rules. Or use suppress. I'm plugging this
constantly, because it's a more precise way to deal with these
problems, requires no rule changes, and won't result in as many legit
detects being cast aside.
> Also, I was reading something about alerts being processed before pass rules,
> so would I need to insert something into snort.conf to make it process PASS,
> then ALERT? Since pass means DROP, it won't do anything with the packet, even
> if it sees it, correct?
This is in the documentation. The -o option does this.
Some friendly advice: Read all of the documentation and FAQs prior to
posting. Pretty much all of these things are spelled out in these
docs. It'll save you a lot of time.
More information about the Snort-users