[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] ignore specific sid's ?
From: "Moyer, Shawn" <smoyer () rgare ! com>
Date: 2002-08-15 1:52:42
[Download RAW message or body]
Another thought in addition to Keith and Ian's comments (although I do
agree with you that adding a way to create an "ignored-sids.rules" or
somesuch would be interesting): howzabout maybe an egrep -v of all the
distribution .rules files for the ignored sid's and then kicking all of
the rules into a single local rules file? Not a bad way to go, and it
would allow you to download the distribution nightly or whatever and
still keep some site-specific config. Definitely a lot quicker than the
old "cut / paste into local.rules, change action to pass" approach.
Nice thought on matching by SID, may give this a shot myself.
--shawn
Dirk Mueller wrote:
> Hi,
>
> I've a question about snort rules writing. I'd like to ignore certain "false
> positives" of a certain rule, lets call it sid:4711.
>
> I wrote something like
>
> pass tcp somehost theport -> any any (sid:4711;)
>
>
> But this doesn't seem to work. Is there any way to do something like that,
> i.e. without modifying the original rule (which is fetched from the snort
> distribution, and is therefore difficult to keep during upgrades) ?
>
>
>
-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic