[Snort-users] A question on Snort Flow tracking and Pass rules

chintan shah shahchintanh at ...11827...
Wed Aug 5 07:35:11 EDT 2009


Hi folks

Just wanted a bit of clarification on the Snort

--- I am just trying to experiment a bit with the pass rules in Snort  . The
question is  , if we configure the pass rules , is it possible in snort to
allow the particular TCP flow to go uninspected after the pass rule has been
triggered for that flow / TCP session ?

       ## To illustrate this , if we take an example of Yahoo Messenger , I
want to allow the entire TCP session go uninspected after the signature for
Yahoo messenger ( inspecting for the string " YMSG" ) is matched . So
eventually , once the signature is matched , Snort should simply allow all
the packets of that flow to just pass thru without any further inspection
for that specific flow/session . Is that possible ?(Its the case of just
allowing yahoo messenger and denying everything else...)

--- Also wanted to know about the rule matching order of Snort . Does it go
for the rule body first and then the rule headers or vice versa?


Any help or clue on above queries would be highly appreciated .




-- 
Chintan Shah
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090805/9a3121f0/attachment.html>


More information about the Snort-users mailing list