Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Test question

From: Ryan Hill <rhill () xypoint com>
Date: Mon, 17 Dec 2001 11:30:46 -0800
Ronneil,

I didn't see a reply to your post, but you have a couple of different
options including commenting out the rule with # in front of it, or adding a
pass rule to ignore the rule when it matches given criteria

To ignore alerts for SMTP traffic, your pass rule might look like:

pass tcp any any -> any 25 (msg:"ATTACK RESPONSES id check returned root";
flags:A+; content: "uid=0(root)"; classtype:bad-unknown; sid:498; rev:2;)

(Sorry for false alarms guys, needed to keep the rule content for the
example.)

Remember, you'll want to change snort's rule processing order if you decide
to use pass rules: snort -o

Regards,

Ryan Hill, MCSE 
IT Ninja
Corporate Information Systems
TeleCommunication Systems, Inc. (TCS) - http://www.telecomsys.com
v: 206.792.2276 - f: 206.792.2001
pgp: 0x17CE70AB


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: