Snort mailing list archives
Re: Just one match could cover serious attack
From: John Sage <jsage () finchhaven com>
Date: Sun, 25 Aug 2002 13:02:03 -0700
Alvaro: On Sun, Aug 25, 2002 at 07:43:38AM -0700, Alvaro Lillo wrote:
I have seen that some packets that match more than one rule of snort only generate one alert. This happens because snort at the first match don`t continue comparing content. This could cover an attack generating only alerts of low importance. There`s any way for give priority to some rules over others (the idea is that snort first search for matches in some selected rules before the others)?
Other than reordering the include's in snort.conf, and/or reordering individual rules within a given *.rules file, I don't believe there's any way to do what you're suggesting. And think about it: at the moment, snort stops examining a packet at first match. If snort was to do what you're suggesting, then snort would need to maintain two separate states for each packet: what matches had been found, and where in the rule parsing sequence it should resume looking for yet another match. Quite a bit of overhead to perform for each packet. - John -- "In those days, you could not buy a $2000 200MHz Pentium server." PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705 ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: (no subject), (continued)
- RE: (no subject) Chris Eidem (Aug 02)
- (no subject) herris () somnambulance org (Aug 08)
- Re: (no subject) Ian Macdonald (Aug 08)
- Re: (no subject) Chris Reid (Aug 08)
- RE: (no subject) Chris Eidem (Aug 09)
- (no subject) kohat enclave (Aug 21)
- Re: (no subject) Piotr Pietrowski (Aug 22)
- Re: (no subject) John Sage (Aug 22)
- (no subject) Alvaro Lillo (Aug 25)
- Just one match could cover serious attack Alvaro Lillo (Aug 25)
- Re: Just one match could cover serious attack John Sage (Aug 25)
- Just one match could cover serious attack Alvaro Lillo (Aug 25)
- (no subject) S.M.Karthik (Aug 26)
- (no subject) Lionel Fairon (Aug 28)
- Re: (no subject) Roman Danyliw (Sep 05)
- (no subject) Marc Dreher (Sep 06)
- Issue with barnyard & unified alert log file Marc Dreher (Sep 06)
- (no subject) Earl D. Fife (Sep 11)
- (no subject) Sergg B. (Sep 15)
- (no subject) snort bsd (Sep 22)
- (no subject) Roger Parx (Sep 24)
- RE: (no subject) Wayne T Work (Sep 24)
(Thread continues...)