[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: RE: [Snort-sigs] "official" pass rules & feature request
From: "McCammon, Keith" <Keith.McCammon () eadvancemed ! com>
Date: 2002-07-31 18:40:03
[Download RAW message or body]
> Does it makes sense to maintain an "official" set of pass rules?
Not really. The rules are pretty simply organized, and you should already disable \
rules collections that don't apply to allowed traffic (replace them with rules that \
alert on anything not explicitly allowed). Also, rules that generate enough negative \
feedback typically do end up commented out by default in the rules distributions. If \
you still get FP's, take a few seconds and edit your local.rules with a pass.
> Feature request:
> It would be nice if a rule could rely on another. Like, say,
> define the
> classic icmp echo request rule as "detect every echo request
> except for
> what's defined in the Speedera echo request rule".
> I imagine this would make the complexity of the detection engine go
> skywards, so... i'm not sure...
Already done. You just place the more specific rule (speedera) above the more \
general ICMP echo request rule.
-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code1
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic