Re: [Snort-users] Snort pass rules...

PlanAlpha wrote:
> Greetings-
>
> I'm having a problem with a couple of pass rules. Usually I get false
> alert (in BASE), look at the sid=n, grep for the rule, paste it into
> my local.rules and change alert to pass and alter the src/dst, etc....
> But I'm getting some alerts on sid's without rules, like sid=2 or
> sid=7. I assume these are from one or more of my plugins. How do I add
> them to my local.rules or mimic that function?

To verify it's a plugin, look at the generator. If the generator isn't 1, it's a
plugin. (you can match which plugin it is by looking at the "generators" file
included with snort)


If it is a non-rule generator, then you cannot fix it with a pass rule. pass
rules, being rules, can only prevent alerts caused by other rules. Non-rule
plugins are beyond their powers.

For plugins, you can use suppress to suppress that generator/sid combo for a
given IP or network. Or you can try to change the options on that plugin to
prevent it from firing off when it should not.


-------------------------------------------------------
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users