Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Part of traffic matching wrong rule

From: Erek Adams <erek () snort org>
Date: Tue, 24 Jun 2003 15:22:24 -0400 (EDT)
On Tue, 24 Jun 2003, Juergen Anthamatten wrote:

[...snip...]


Rule application order: alert->pass->alarm


[...snip...]

By default, pass rules are applied last.  You need to change the order of
the applications of rules.  With custom types, they are applied last
unless you change the order.

You can change the order with "-o" or a config directive.  If you want
'alarm' to go first, then you need to use the config directive [0]:

        config order:  alarm pass alert dynamic

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]     http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.1.3


-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: