Re: open-test.conf

[waldo kitty <wkitty42 () windstream net>]

On 11/27/2012 22:50, Joel Esler wrote:
> On Nov 27, 2012, at 9:35 PM, waldo kitty <wkitty42 () windstream net
> <mailto:wkitty42 () windstream net>> wrote:
>
> > > One of the many benefits if using PP is flowbit dependency resolution!
> >
> > that's what i keep hearing... however, i note that it is one way only... rules
> > that set flowbits and are explicitly turned off get turned on instead of the
> > rules checking the flowbit getting turned off... that's ok in some cases but not
> > good in others…
>
> If you want it turned off, make sure you turn off the whole chain yourself.

exactly... and by the same token, if you want it on, make sure you turn on the 
whole chain yourself... much better than getting surprised by a flood of alerts 
that local policy allows while not allow for the others ;)

> Otherwise, I'd want it on!

that depends on certain things in other worlds ;)

> > in reality, both should be handled by a human... especially since snort reports
> > them and humans are supposedly monitoring snort's log output ;)
>
> Yeah right. ;)

you know that song and dance, too, eh? ;)


------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
INSIGHTS What's next for parallel hardware, programming and related areas?
Interviews and blogs by thought leaders keep you ahead of the curve.
http://goparallel.sourceforge.net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!