Snort mailing list archives
Re: order of matching rules
From: archana rao <archuatdavis () yahoo com>
Date: Thu, 17 Oct 2002 11:45:27 -0700 (PDT)
When I use Snort to detect the attacks towards an IIS server which uses the URI: GET /scripts/..%c0%af../winnt/system32/cmd.exe/c+" why does it raise the alert: "WEB--IIS cmd.exe access" with sid:1002 that looks for content:"cmd.exe" and not the alert: "WEB-IIS File permission canonicalization" with sid:981 that looks for uricontent:"/scripts/..%c0%af../"? Archana --- Chris Green <cmg () snort org> wrote:
archana rao <archuatdavis () yahoo com> writes:The site http://www.infosys.tuwien.ac.at/snort-ng/mentions that"For some strange reason, Snort stops thedetection process for apacket after the first matching rule - maybe toimprove performance"while talking about snort-ng. Is this the way itworks inSnort-1.9.0 too?For Snort-1.9.x yes. For Snort-2.0, no. There was a first exit match strategy first. The strange reason was once you got something you care about, why bother keeping going on and let the ruleset editors worry about rule ordering. If you're looking at snort-ng, look at the HEAD snort branch too. You'll be pleasantly suprised if you have the facilities to compare the two.In what order are the rules matched against theincoming packets?Isit the order in which they are listed in the*.rules file? Archana Look through the mailing list archives for a description of the RTN/OTN parsing. -- Chris Green <cmg () sourcefire com> To err is human, to moo bovine.
-------------------------------------------------------
This sf.net email is sponsored by: viaVerio will pay you up to $1,000 for every account that you consolidate with us. http://ad.doubleclick.net/clk;4749864;7604308;v? http://www.viaverio.com/consolidator/osdn.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users __________________________________________________ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos & More http://faith.yahoo.com ------------------------------------------------------- This sf.net email is sponsored by: viaVerio will pay you up to $1,000 for every account that you consolidate with us. http://ad.doubleclick.net/clk;4749864;7604308;v? http://www.viaverio.com/consolidator/osdn.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- order of matching rules archana rao (Oct 16)
- Re: order of matching rules Chris Green (Oct 16)
- Re: order of matching rules archana rao (Oct 17)
- Re: order of matching rules Chris Green (Oct 22)
- Re: order of matching rules archana rao (Oct 17)
- Re: order of matching rules Matt Kettler (Oct 16)
- <Possible follow-ups>
- Re: order of matching rules Christopher Kruegel (Oct 22)
- Re: order of matching rules Christopher Kruegel (Oct 22)
- Re: order of matching rules Chris Green (Oct 22)
- Re: order of matching rules Chris Green (Oct 16)