[Oisf-users] Whitelist rules
Nikolay Denev
ndenev at gmail.com
Fri Sep 16 09:32:33 UTC 2011
Hello all,
I'm trying to install a few "pass" rules with "priority 1" as a whitelisting rules in "local.rules",
they are read ok, but they don't seem to work, and I start to wonder If I'm missing something.
My understanding is that if my rules in local.rules match, no further checking will be done on this packet/flow.
Can someone confirm that this is correct? Or is there another way to accomplish this.
Basically I want to preserve for example the shell code rules that are working on any port src/dest, but I have traffic
for an internal service that gives too many false positives, so I want to create a rule (basically the same shell code rule that get's triggered) but
modify it for the specific port of the service and change it from "alert" to "pass" and raise the priority.
Thanks in advance.
Regards,
Nikolay
More information about the Oisf-users
mailing list