Snort mailing list archives

Re: Alert on more than 1 rule?

From: Joe McAlerney <joey () SiliconDefense com>
Date: Mon, 25 Jun 2001 11:58:12 -0700

When rules are linked off the same option tree node, they are triggered
on a first come - first serve basis.  What ever one appears first in the
file will be triggered first.  This is why it is often good to place the
most specific rules above the more general ones.  Think of it as "Look
for these long specific strings with ../.. in them, but if all else
fails, we'll be satisfied with anything with ../.. in it".

Marty wrote a good explanation of how Snort rules are arranged under
http://www.snort.org/FAQ.html#q69

Hope this helps,

-Joe M.

-- 
|   Joe McAlerney     joey () silicondefense com   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+

"Sheahan, Paul (PCLN-NW)" wrote:


I am writing some of my own rules on my new Snort server and have a
question:

If incoming traffic matches two rules, will BOTH rules trigger an alert, or
just one? For example, there is a rule that checks for "cmd.exe" execution
on NT servers. I also created a rule that searches for the contents
"winnt/system32" to see if anyone was capable of bringing up a directory on
one of my servers. Well, an attack appeared in my logs recently that
contained "winnt/system32/cmd.exe", but only the "cmd.exe" rule was
triggered, and not my custom rule. I'm wondering if Snort is supposed to
trigger both, or just one of the rules?

Thanks,
Paul

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Alert on more than 1 rule? Sheahan, Paul (PCLN-NW) (Jun 25)
- Re: Alert on more than 1 rule? Joe McAlerney (Jun 25)
- <Possible follow-ups>
- Re: Alert on more than 1 rule? Olivier Grumelard (Jun 25)