[Snort-users] Event Suppression between specific Source and Destination

Guido Hungerbuehler guh at ...15642...
Fri Dec 14 10:44:07 EST 2012


I only agree on parts. Because if you would like to create a pass rule 
for one specific rule and the two affected hosts, this would mean that I 
basically have to copy the rule that triggers the event and replace 
'alert' with 'pass' and adjust the source and destination.

But if the signature gets a new revision, the pass-rule does not get 
updated. And I would have to check for changes in the rules manually.

It would be a lot more intuitive to have a reference on a signature and 
just deactivate alerting by using src, dst and sid.

On 12/14/2012 04:36 PM, Joel Esler wrote:
> On Dec 14, 2012, at 10:35 AM, Guido Hungerbuehler <guh at ...15642...
> <mailto:guh at ...15642...>> wrote:
>
>> A pass rule would be without any effect because I run the sensor in
>> alert-before-pass configuration.
>>
>> Is there any other possibility?
>
>
> Not at this time.
>
> Why do you run in an alert before pass configuration?  That's the point
> of a pass rule.
>
> --
> *Joel Esler*
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire




More information about the Snort-users mailing list