[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] ignore specific sid's ?
From:       "Moyer, Shawn" <smoyer () rgare ! com>
Date:       2002-08-15 1:52:42
[Download RAW message or body]

Another thought in addition to Keith and Ian's comments (although I do 
agree with you that adding a way to create an "ignored-sids.rules" or 
somesuch would be interesting): howzabout maybe an egrep -v of all the 
distribution .rules files for the ignored sid's and then kicking all of 
the rules into a single local rules file? Not a bad way to go, and it 
would allow you to download the distribution nightly or whatever and 
still keep some site-specific config. Definitely a lot quicker than the 
old "cut / paste into local.rules, change action to pass" approach.

Nice thought on matching by SID, may give this a shot myself.




--shawn



Dirk Mueller wrote:
> Hi, 
> 
> I've a question about snort rules writing. I'd like to ignore certain "false 
> positives" of a certain rule, lets call it sid:4711. 
> 
> I wrote something like
> 
> pass tcp somehost theport -> any any (sid:4711;)
> 
> 
> But this doesn't seem to work. Is there any way to do something like that, 
> i.e. without modifying the original rule (which is fetched from the snort 
> distribution, and is therefore difficult to keep during upgrades) ?
> 
> 
> 




-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]