Snort mailing list archives
Re: Post Detection Rule
From: "tantioification ." <tantio86 () gmail com>
Date: Wed, 24 May 2017 23:16:48 +0700
Thank you Russ for your explain,,it is very help me to learn.. On May 24, 2017 5:09 PM, "Russ" <rucombs () cisco com> wrote:
On 5/23/17 8:10 PM, tantioification . wrote:No, i dont have. I just read snort manual and it give description about post-detection rule options that "These options are rule spesific triggers that happen after a rule has "fired"" What is it the meaning?"Fired" means the rule "matches". More specifically that statement means that the rule body options (payload and non-payload) and the rule header checks (nets and ports) all match and an alert would be raised. Most of the post-detection options are really rule actions or logging features. detection_filter is a little different though as it is actually the final match criteria that determines whether a rule will fire. If it does fire it is appropriate to evaluate the other post-detection options. You wouldn't want to do something like replace a content if the rule doesn't actually fire.On May 24, 2017 5:26 AM, "Joel Esler (jesler)" <jesler () cisco com> wrote: Example being?*--* *Joel Esler *| *Talos:* Manager | jesler () cisco com On May 23, 2017, at 5:47 AM, tantioification . <tantio86 () gmail com> wrote: Hi, What is the meaning of "rule has fired" in post-detection rule options? ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Post Detection Rule tantioification . (May 23)
- Re: Post Detection Rule Joel Esler (jesler) (May 23)
- Re: Post Detection Rule tantioification . (May 23)
- Re: Post Detection Rule Russ (May 24)
- Re: Post Detection Rule tantioification . (May 24)
- Re: Post Detection Rule tantioification . (May 23)
- Re: Post Detection Rule Joel Esler (jesler) (May 23)