Re: modifying priority on certain rules

[Dirk Geschke <dirk () geschke-online de>]

Hi,

> Thanks for the feedback.  However, the problem isn't with how I change the 
> rule, it's the fact that the updated priority isn't taking effect.
>
> In my oinkmaster.conf, I added the line:
> modifysid 2466 "classtype:protocol-command-decode;" | 
> "classtype:protocol-command-decode; priority:2;"
>
> That successfully updates the rule, but the priority is still coming 
> through as the default (3).

maybe it works correct but the output plugin does not handle it
correctly? As far as I remember does the database ouput plugin
ignore the priority, it simply asks the database for an existing
signature of that message type and ignores the priority. So if
there is already a singature of this type in the database then
the priority is ignored (the one of the database is used regardless
of your local settings.)

So: What output plugin do you use or may this be the reason?

Best regards

Dirk


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users