RE: snort rule firing order

["Joshua Berry" <JBerry () PENSON COM>]

You could tell oinkmaster to comment out the old rule with this:
 
disablesid <sid_number>
 
Or you could tell oinkmaster to modify the sid and replace it with your
content:
 
modifysid <sid_number> "alert ip any any -> any any \(msg:\"BAD-TRAFFIC
IP Proto 103 PIM" | "alert ip any any -> !224.0.0.13 any
\(msg:\"BAD-TRAFFIC IP Proto 103 PIM"
 
 
You might need a slash in front of the exclamation point as well.

________________________________

From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Kretzer,
Jason R (Big Sandy)
Sent: Tuesday, September 13, 2005 9:32 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] snort rule firing order


Hello all,
 
I have a custom rule that I would like to fire instead of a pre-built
rule.  Here is my rule
 
jason@bgswebtest:~$ cat /etc/snort/rules/jason.rules
alert ip any any -> !224.0.0.13 any (msg:"BAD-TRAFFIC IP Proto 103 PIM";
ip_proto:103; reference:bugtraq,8211; reference:cve,2003-0567;
classtype:non-standard-protocol; sid:1002189; rev:1;)

It is exactly the same as rule 2189 in
/etc/snort/rules/bad-traffic.rules EXCEPT the destination IP, sid, and
rev.
 
I thought my rule would take precedence because it is more "specific"
than the given rule.  I would comment it out but oinkmaster which I use
to update my rules automatically just replaces it.
 
Is there something I am doing wrong?
 
-Jason