Snort mailing list archives
A question on Snort Flow tracking and Pass rules
From: chintan shah <shahchintanh () gmail com>
Date: Wed, 5 Aug 2009 17:05:11 +0530
Hi folks Just wanted a bit of clarification on the Snort --- I am just trying to experiment a bit with the pass rules in Snort . The question is , if we configure the pass rules , is it possible in snort to allow the particular TCP flow to go uninspected after the pass rule has been triggered for that flow / TCP session ? ## To illustrate this , if we take an example of Yahoo Messenger , I want to allow the entire TCP session go uninspected after the signature for Yahoo messenger ( inspecting for the string " YMSG" ) is matched . So eventually , once the signature is matched , Snort should simply allow all the packets of that flow to just pass thru without any further inspection for that specific flow/session . Is that possible ?(Its the case of just allowing yahoo messenger and denying everything else...) --- Also wanted to know about the rule matching order of Snort . Does it go for the rule body first and then the rule headers or vice versa? Any help or clue on above queries would be highly appreciated . -- Chintan Shah
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- A question on Snort Flow tracking and Pass rules chintan shah (Aug 05)