[Snort-users] A question on Snort Flow tracking and Pass rules
shahchintanh at ...11827...
Wed Aug 5 07:35:11 EDT 2009
Just wanted a bit of clarification on the Snort
--- I am just trying to experiment a bit with the pass rules in Snort . The
question is , if we configure the pass rules , is it possible in snort to
allow the particular TCP flow to go uninspected after the pass rule has been
triggered for that flow / TCP session ?
## To illustrate this , if we take an example of Yahoo Messenger , I
want to allow the entire TCP session go uninspected after the signature for
Yahoo messenger ( inspecting for the string " YMSG" ) is matched . So
eventually , once the signature is matched , Snort should simply allow all
the packets of that flow to just pass thru without any further inspection
for that specific flow/session . Is that possible ?(Its the case of just
allowing yahoo messenger and denying everything else...)
--- Also wanted to know about the rule matching order of Snort . Does it go
for the rule body first and then the rule headers or vice versa?
Any help or clue on above queries would be highly appreciated .
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users