Re: Quick Rule's Question...

[Erek Adams <erek () theadamsfamily net>]

On Wed, 6 Mar 2002, James Hoagland wrote:

> Hello Erek,

Howdy James!

> Well, you asked...

*sigh*  I knew that would get me in trouble!  ;-)

> Not correct.  "pass" versus "alert" versus "log" only gets considered
> after the rule matches on some packet.  That is, the signature
> matching proceeds the same regardless of which of those 3 rule types
> is specified.  The parser does not do anything special with pass
> rules.  Just the signature matching code and then only after it finds
> a match.  (Order of rule application is a whole other discussion.)

Yep, I should have RTFC (Read the Friendly Code) before replying.  :)  Good
catch James!

[...snip...]

> [In Erek's tradition, let me say that I'm pretty sure what I said was
> correct, but would appreciate being clue'd in if not. :) ]

Oh god...  Now _I'm_ a _tradition_?  Why does that bring to mind a Hank
Williams Jr. song?  ;-)  Eeep!  Run Away!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users