[Snort-users] Snort pass rules...
mkettler at ...4108...
Tue May 24 11:37:11 EDT 2005
> I'm having a problem with a couple of pass rules. Usually I get false
> alert (in BASE), look at the sid=n, grep for the rule, paste it into
> my local.rules and change alert to pass and alter the src/dst, etc....
> But I'm getting some alerts on sid's without rules, like sid=2 or
> sid=7. I assume these are from one or more of my plugins. How do I add
> them to my local.rules or mimic that function?
To verify it's a plugin, look at the generator. If the generator isn't 1, it's a
plugin. (you can match which plugin it is by looking at the "generators" file
included with snort)
If it is a non-rule generator, then you cannot fix it with a pass rule. pass
rules, being rules, can only prevent alerts caused by other rules. Non-rule
plugins are beyond their powers.
For plugins, you can use suppress to suppress that generator/sid combo for a
given IP or network. Or you can try to change the options on that plugin to
prevent it from firing off when it should not.
More information about the Snort-users