Snort mailing list archives

Rule set Query

From: "skill2die4" <skill2die4 () yahoo com>
Date: Wed, 7 Mar 2001 11:24:19 -0500

hi :

consider there are 2 rules ... however, one rule is 
SuperSET of the other  . Example

A.rules = alert  any any < >  $home 80  _ _ _ _

B.rules = alert  $Secure  any  < > $home 80 _ _ _ _

now when i execute the snort ,and there is a Packet 
incoming from  $Secure 

1.  Would snort log both of them ?

2.   If  i put the B.rules before the A.rules would it make 
snort log only the second attack and not the first ?

3.  Is there a way to acheive the result of Query2 , ie 
only logging rule B and not the A when there is a
packet from $Secure ?



thanks :)

skill


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Multiple sensors Mike Arrison (Mar 06)
- Rule set Query skill2die4 (Mar 06)
- Re: Multiple sensors Erek Adams (Mar 06)
- <Possible follow-ups>
- multiple sensors Luo, Feng (Exchange) (Mar 07)
  - Re: multiple sensors Erek Adams (Mar 07)
  - multiple sensors David Bianco (Mar 07)