[Oisf-users] Whitelist rules

Peter Manev petermanev at gmail.com
Fri Sep 16 10:00:26 UTC 2011


Hi Nikolay,

Can you please post an example of a rule of yours?

Thanks

On Fri, Sep 16, 2011 at 11:32 AM, Nikolay Denev <ndenev at gmail.com> wrote:

> Hello all,
>
> I'm trying to install a few "pass" rules with "priority 1" as a
> whitelisting rules in "local.rules",
> they are read ok, but they don't seem to work, and I start to wonder If I'm
> missing something.
>
> My understanding is that if my rules in local.rules match, no further
> checking will be done on this packet/flow.
> Can someone confirm that this is correct? Or is there another way to
> accomplish this.
> Basically I want to preserve for example the shell code rules that are
> working on any port src/dest, but I have traffic
> for an internal service that gives too many false positives, so I want to
> create a rule (basically the same shell code rule that get's triggered) but
> modify it for the specific port of the service and change it from "alert"
> to "pass" and raise the priority.
>
> Thanks in advance.
>
> Regards,
> Nikolay
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>



-- 
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110916/09720054/attachment-0002.html>


More information about the Oisf-users mailing list