[Snort-users] icmp pass rules

Stephen Reese rsreese at ...11827...
Fri Oct 24 13:50:44 EDT 2008


> Depends. If you want to ignore a signature *as is* on an IP/network,
> then use a suppression.
>
> If you have to customize the signature to further refine the match (for
> example, the ICMP redirect), or if you want to ignore the alerts between
> two explicit IP's, then use a pass rule.
>
> Keep in mind that when you use a pass rule, no further traffic matching
> is done. If the pass rule matches, then Snort stops evaluating any other
> sigs. (at least if the processing order is changed to pass->alert->log).
> Using suppressions, Snort will ignore that alert, but continue to match
> the packet against other signatures.
>
> -Frank

Ahhh, that helps alot. Thank you.




More information about the Snort-users mailing list