Snort mailing list archives
RE: Test question
From: Ryan Hill <rhill () xypoint com>
Date: Mon, 17 Dec 2001 14:08:57 -0800
Ronneil, If you don't change the rule processing order (snort -o), then AFAIK, the alert will trigger irregardless of the pass rule since alert rules will be processed first in the engine. Generally, if you've written any pass rules, you want to use snort -o to utilize them. The default option is not using them (probably for performance reasons - one can speculate). BTW: Good suggestions Phil. I'm getting double triggers as the messages pass over two sensors before reaching me... lol <snip false alarm generating sig here> Regards, Ryan Hill, MCSE IT Ninja Corporate Information Systems TeleCommunication Systems, Inc. (TCS) - http://www.telecomsys.com <http://www.telecomsys.com/> v: 206.792.2276 - f: 206.792.2001 pgp: 0x17CE70AB -----Original Message----- From: Ronneil Camara [mailto:ronneilc () remingtonltd com] Sent: Monday, December 17, 2001 12:57 PM To: Ryan Hill Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Test question Thanks Ryan, I'll try that one. So if I didn't use -o, then the new rule must come before the alert, am I right?
Current thread:
- Re: Test question, (continued)
- Re: Test question Greg Herlein (Dec 16)
- Re: Test question Jose Celestino (Dec 16)
- Re: Test question James (Dec 16)
- Re: Test question Ralf Hildebrandt (Dec 17)
- Re: Test question Paul Cardon (Dec 16)
- Re: Test question Greg Herlein (Dec 16)
- RE: Test question Ronneil Camara (Dec 16)
- RE: Test question Ryan Hill (Dec 17)
- Re: Test question Erik Fichtner (Dec 17)
- RE: Test question Ronneil Camara (Dec 17)
- Re: Test question Phil Wood (Dec 17)
- RE: Test question Ryan Hill (Dec 17)
- Re: Test question George Patterson (Dec 18)
- RE: Test question Ronneil Camara (Dec 17)
- RE: Test question Ryan Russell (Dec 18)
- RE: Test question Jim Forster (Dec 18)
- RE: Test question Ryan Russell (Dec 18)