Snort mailing list archives
(no subject)
From: Juergen Anthamatten <juergen.anthamatten () gmx net>
Date: Wed, 25 Jun 2003 17:32:41 +0200 (MEST)
On Tue, 24 Jun 2003, Juergen Anthamatten wrote: [...snip...]Rule application order: alert->pass->alarm[...snip...] By default, pass rules are applied last. You need to change the order of the applications of rules. With custom types, they are applied last unless you change the order. You can change the order with "-o" or a config directive. If you want 'alarm' to go first, then you need to use the config directive [0]: config order: alarm pass alert dynamic Cheers!
thx for the reply. the rule order "alert->pass->alarm" is what I want and I'm using already "config order: alert pass alarm ..." the problem was that for about 99% of syn-acks from 64.232.48.230 ( of the form: 64.232.48.230.80 > universe.unpriv: S 2146395230:2146395230(0) ack...) the pass rule was matching and for about 1% the alarm rule. Even if the order of "pass" and "alarm" would be wrong, 100% of the syn-acks from 64.232.48.230:80 have to match either the pass rule or the alarm rule, but not some the pass-rule and some the alarm-rule... Andrew R. Baker's suggestion to use the latest version from the CVS-tree fixed the problem.... ./juergen -- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage! ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: (no subject), (continued)
- RE: (no subject) Ryan Finnesey (Apr 13)
- (no subject) John Sage (Apr 14)
- (no subject) Robin Johnson (May 29)
- Re: (no subject) Erick Mechler (May 29)
- Re: (no subject) Patrick S. Harper (May 29)
- RE: (no subject) Robin Johnson (May 30)
- RE: (no subject) Robin Johnson (May 30)
- RE: (no subject) Brian Gregorcy (May 30)
- (no subject) snrt (Jun 24)
- Re: (no subject) James Nonya (Jun 24)
- (no subject) Juergen Anthamatten (Jun 25)