| When compared to the new suppression rules, pass rules are a clumsy and lumbering way to address the need to ignore alerts from certain hosts, networks, or rules. A poorly written pass rule can cause all signatures to be passed, making the Snort sensor useless. For example, if a pass rule is written to ignore alerts for a range of network addresses on TCP port 23, actual attacks may go unnoticed. Thresholding and suppression rules should be used instead of pass rules. |