Re: -o and pass/alert/log usage

[Tony Lill <ajlill () ajlc waterloo on ca>]

> > > > > "Paul" == Paul Sheahan <Sheahan> writes:


    Paul> I was told in another post that it doesn't matter WHERE the
    Paul> pass rules are in any of the .rules files, and it doesn't
    Paul> matter in what order the rules files are included in
    Paul> snort.conf. If you use the -o option, all pass rules are
    Paul> taken into account first, then alerts. If this is wrong, I'd
    Paul> like to know so I get it straight too!

That's how it's supposed to work. However, if you are using 1.7,
there's some bug with include directives that makes this not so, and I
had to move my pass rules before including all the snort rules to work
around it.

I really have to find some time to verify whether or not it exists in
the current CVS source.
--
Tony Lill,                         Tony.Lill () AJLC Waterloo ON CA
President, A. J. Lill Consultants        fax/data (519) 650 3571
539 Grand Valley Dr., Cambridge, Ont. N3H 2S2     (519) 241 2461
--------------- http://www.ajlc.waterloo.on.ca/ ----------------
"Welcome to All Things UNIX, where if it's not UNIX, it's CRAP!"

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users