Snort mailing list archives
The order that rules are processed in?
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Sat, 1 Feb 2003 21:03:55 -0600
Before you groan and point me to the FAQ and archives, I've been looking for these for a while, and I've already been through the FAQ and the archives.... :-) I just installed Version 1.9.0 (Build 209) on a FreeBSD 4.7 box (from the ports, not compiled from source on snort.org) logging to mysql and using ACID to view (works great, btw). Thanks to Keith Tokash for a great installation guide! I only had a couple of problems due to changes between FreeBSD 4.6 and 4.7, but nothing major. I'm trying to find out in what order snort processes the rules. Is it in the order that they are listed in snort.conf? Right now I'm writing pass rules (using vars for specific hosts - like this - var ICMP_DEST_UNRCH [x.x.x.x,x.x.x.x]) to get rid of alerts for things we don't want to see from specific hosts (we know the router is going to spew these, for example.) I'm putting the pass rules at the beginning of the rule file (like icmp.rules) and I'm starting snort with the -o switch to process the pass rules first My edits of these files will get overwritten when I update, right? If I knew local.rules was processed first by placing it first in the snort.conf file, I'd put these in there and move it to the top of the list, and then I'd put all my pass rules in local.rules. Does it matter where local.rules is in snort.conf? Also, if you create a bad rule (improper syntax, misspelled args, etc., does snort log that anywhere? Will it even start if a rule is written incorrectly? Will it ignore the bad rule? Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/~pauls/ AVIEN Founding Member ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- The order that rules are processed in? Schmehl, Paul L (Feb 01)
- Re: The order that rules are processed in? twig les (Feb 01)
- <Possible follow-ups>
- RE: The order that rules are processed in? Schmehl, Paul L (Feb 01)
- RE: The order that rules are processed in? Paul D. Shaffer (Feb 01)
- Re: The order that rules are processed in? Dragos Ruiu (Feb 01)
- Re: The order that rules are processed in? Dragos Ruiu (Feb 01)
- RE: The order that rules are processed in? Schmehl, Paul L (Feb 01)
- RE: The order that rules are processed in? Rich Adamson (Feb 02)
- RE: The order that rules are processed in? Schmehl, Paul L (Feb 02)