Snort mailing list archives
Re: How to turn on first-match-out criteria
From: Pablo Artuso <artusopablo () gmail com>
Date: Wed, 28 May 2014 08:30:33 -0300
Hi there, I was doing some more testing on this requirement I have, but unfortunately I didn't arrive to anything useful. I have read this post http://seclists.org/snort/2014/q2/546 where Joel Esler answers a SNORT user that the order in which the rules are applied doesn't have anything to do about SID's numbers, but it will depend on the order in which the fast-pattern matches are found in the payload. I'd like to understand this better, because right now I have no idea on how to continue... in fact, I'm having two questions: 1) Is there a way to force the order in which SNORT evaluates the rules? 2) Once a rule is matched, and this rule generates an alert, is it possible to STOP evaluating the rest of the rules? I've been checking different keywords named in the SNORT manual and some forums, such us: pass, noalert, flowbits, dynamic rules, activate, etc. But none of them helped me (or at least I didn't know how to combine them properly) to get what I need. I think this could clarify even more my needing: Let's suppose there are two rules (Rule A and Rule B) where both check if "Y" is present on the packet, but rule B also check if "X" is present in the packet. So, if I receive a packet containing "X" and "Y", I want to receive ONLY the alert of rule B, and not the one coming from rule A. Does anybody know how to do this? Maybe combining some other keywords? Thanks in advance, Pablo 2014-05-05 12:55 GMT-03:00 Pablo Artuso <artusopablo () gmail com>:
Hi, I'm using Snort 2.9 . I have been searching this for hours and didn't found the answer (even in the archives of this list). I read that, in previous versions, it was the default configuration. How can I configure my Snort in order to accomplish both thing : - Alert when a rule match. - Finish. I mean, stop matching other rules. Thank you! Kind regards, Pablo
------------------------------------------------------------------------------ Time is money. Stop wasting it! Get your web API in 5 minutes. www.restlet.com/download http://p.sf.net/sfu/restlet
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- How to turn on first-match-out criteria Pablo Artuso (May 05)
- Re: How to turn on first-match-out criteria Pablo Artuso (May 28)