[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    RE: [Snort-sigs] "official" pass rules & feature request
From:       "McCammon, Keith" <Keith.McCammon () eadvancemed ! com>
Date:       2002-07-31 18:40:03
[Download RAW message or body]

> Does it makes sense to maintain an "official" set of pass rules?

Not really.  The rules are pretty simply organized, and you should already disable \
rules collections that don't apply to allowed traffic (replace them with rules that \
alert on anything not explicitly allowed).  Also, rules that generate enough negative \
feedback typically do end up commented out by default in the rules distributions.  If \
you still get FP's, take a few seconds and edit your local.rules with a pass.

> Feature request:
> It would be nice if a rule could rely on another. Like, say, 
> define the
> classic icmp echo request rule as "detect every echo request 
> except for
> what's defined in the Speedera echo request rule".
> I imagine this would make the complexity of the detection engine go
> skywards, so... i'm not sure...

Already done.  You just place the more specific rule (speedera) above the more \
general ICMP echo request rule.  


-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code1
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


[prev in list] [next in list] [prev in thread] [next in thread]