Re: Post Detection Rule

["tantioification ." <tantio86 () gmail com>]

Thank you Russ for your explain,,it is very help me to learn..

On May 24, 2017 5:09 PM, "Russ" <rucombs () cisco com> wrote:

> On 5/23/17 8:10 PM, tantioification . wrote:
>
> > No, i dont have.
> > I just read snort manual and it give description about post-detection rule
> > options that "These options are rule spesific triggers that happen after a
> > rule has "fired""
> > What is it the meaning?
> "Fired" means the rule "matches".  More specifically that statement means
> that the rule body options (payload and non-payload) and the rule header
> checks (nets and ports) all match and an alert would be raised.  Most of
> the post-detection options are really rule actions or logging features.
> detection_filter is a little different though as it is actually the final
> match criteria that determines whether a rule will fire.  If it does fire
> it is appropriate to evaluate the other post-detection options.  You
> wouldn't want to do something like replace a content if the rule doesn't
> actually fire.
>
> > On May 24, 2017 5:26 AM, "Joel Esler (jesler)" <jesler () cisco com> wrote:
> >
> > Example being?
> > > *--*
> > > *Joel Esler *| *Talos:* Manager | jesler () cisco com
> > >
> > >
> > >
> > >
> > >
> > >
> > > On May 23, 2017, at 5:47 AM, tantioification . <tantio86 () gmail com>
> > > wrote:
> > >
> > > Hi,
> > >
> > > What is the meaning of "rule has fired" in post-detection rule options?
> > > ------------------------------------------------------------
> > > ------------------
> > > Check out the vibrant tech community on one of the world's most
> > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> > > Snort news!
> > >
> > >
> > >
> > > ------------------------------------------------------------
> > ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!