Re: Order of rules

[Dave Corsello <snort-users () wintertreemedia com>]

Thanks, Joel.

On 5/2/2014 10:36 AM, Joel Esler (jesler) wrote:
> Rule processing does not end after the first hit.
>
> The first hit could be an alert and a pass would take precedence w/ no
> command line/snort.conf options to change that.
>
> Rule order in the config file does not matter, rule evaluation is not 
> linear.
>
> They will be processed in the order in which the fast-pattern matches are
> found in the payload.  The first pattern to occur, rules w/ that pattern
> will be evaluated first and so on.  And the rules within that matching end
> state are evaluated in a tree of options. How options are added into the
> tree is not deterministic from one run to another.
>
> J
>
> On May 1, 2014, at 3:31 PM, Dave Corsello 
> <snort-users () wintertreemedia com 
> <mailto:snort-users () wintertreemedia com>> wrote:
>
> > I looked pretty hard for this information and couldn't find it, so maybe
> > this will be useful to someone:  it looks like rules with the same
> > priority and similar action are processed in sid order.
> >
> > On 4/29/2014 5:35 PM, Dave Corsello wrote:
> > > Let me narrow that down.  Assume that no command line options or
> > > snort.conf options are used to change the order in which rule actions
> > > are taken, and that rule processing ends after the first hit.
> > > Basically, I want to know if changing the physical order of two drop
> > > rules with the same priority in my local.rules file makes a difference,
> > > or if there's some other default sort order that takes precedence.
> > >
> > >
> > > On 4/29/2014 9:07 AM, Dave Corsello wrote:
> > > > Here's a very basic question:  In what order are snort rules processed:
> > > > the order in which they are listed in a rules file, or in gid/sid 
> > > > order?
> > > >
> > > > ------------------------------------------------------------------------------
> > > > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> > > > Instantly run your Selenium tests across 300+ browser/OS combos.  Get
> > > > unparalleled scalability from the best Selenium testing platform 
> > > > available.
> > > > Simple to use. Nothing to install. Get started now for free."
> > > > http://p.sf.net/sfu/SauceLabs
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > > >
> > > > Please visit http://blog.snort.org to stay current on all the 
> > > > latest Snort news!
> > >
> > > ------------------------------------------------------------------------------
> > > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> > > Instantly run your Selenium tests across 300+ browser/OS combos.  Get
> > > unparalleled scalability from the best Selenium testing platform 
> > > available.
> > > Simple to use. Nothing to install. Get started now for free."
> > > http://p.sf.net/sfu/SauceLabs
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest 
> > > Snort news!
> >
> >
> > ------------------------------------------------------------------------------
> > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> > Instantly run your Selenium tests across 300+ browser/OS combos.  Get
> > unparalleled scalability from the best Selenium testing platform 
> > available.
> > Simple to use. Nothing to install. Get started now for free."
> > http://p.sf.net/sfu/SauceLabs
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest 
> > Snort news!

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get 
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!