Dangerous to use custom ruletypes?

[Martin Olsson <elof () sentor se>]

Is it dangerous to use custom ruletypes?

I just discovered that when you define your own ruletypes, they are put
LAST in the chain of rules. Here is an example of the output when I run
snort with the -o option (pass rules first):

  Rule application order: ->pass->activation->dynamic->alert->log->panic

I have created a ruletype named "panic" where I have put all my critical
rules. As you can see, "panic" is placed at the end of the rule-chain.
Does this mean that if I have some more generic alert-rule that matches
the packet, it won't make it to the panic-rule?

Right now I'm using the latest snort-rules as well as my own panic-rules.
What worries me is that some of the snort-rules, say rule #1113, might
trigger on the simple pattern "../", while my panic-rule would have
triggered on the same packet. Instead of getting my own alert-message with
detailed information I just get a "WEB-MISC http directory traversal".

Say it isn't so!

(run on snort 1.9.1 on FreeBSD 4.7)

Martin Olsson
Sentor AB, Sweden



-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users