Snort mailing list archives
ruleset priority
From: "Brian D. Hamm" <brian.hamm () extensys biz>
Date: Sat, 10 Apr 2004 23:27:42 -0400
Why does the less specific rule continue to fire over the rule with a specific destination IP address set? I have tried switching the order, moving the 8.8.8.8 rule to local.rules, and even tried adding a /32 but the more generic any any -> any 69 continues to fire. The only way I cat get the 8.8.8.8 rule to fire is to change the more generic rule to any any -> any 70. It does fire then so I know the rule is valid. alert udp any any -> 8.8.8.8 69 (msg:"TFTP 8888 GET"; content:"|00 01|"; offset:0; depth:2; classtype:not-suspicious; sid:1444; rev:2;) alert udp any any -> any 69 (msg:"TFTP Z Get"; content:"|00 01|"; offset:0; depth:2; classtype:bad-unknown; sid:1444; rev:2;) I read the README. Thanks, Brian
Attachment:
smime.p7s
Description:
Current thread:
- ruleset priority Brian D. Hamm (Apr 12)