[Snort-users] Event Suppression between specific Source and Destination
guh at ...15642...
Fri Dec 14 10:44:07 EST 2012
I only agree on parts. Because if you would like to create a pass rule
for one specific rule and the two affected hosts, this would mean that I
basically have to copy the rule that triggers the event and replace
'alert' with 'pass' and adjust the source and destination.
But if the signature gets a new revision, the pass-rule does not get
updated. And I would have to check for changes in the rules manually.
It would be a lot more intuitive to have a reference on a signature and
just deactivate alerting by using src, dst and sid.
On 12/14/2012 04:36 PM, Joel Esler wrote:
> On Dec 14, 2012, at 10:35 AM, Guido Hungerbuehler <guh at ...15642...
> <mailto:guh at ...15642...>> wrote:
>> A pass rule would be without any effect because I run the sensor in
>> alert-before-pass configuration.
>> Is there any other possibility?
> Not at this time.
> Why do you run in an alert before pass configuration? That's the point
> of a pass rule.
> *Joel Esler*
> Senior Research Engineer, VRT
> OpenSource Community Manager
More information about the Snort-users