RE: Regarding IDS rules.

[Andrew Hall <ahall () securenet com au>]

Snort will only inform you of the first signature that it matches.  Some
other IDS products, such as Dragon, will give you all signatures that match.

If you do find that you are triggering multiple signatures with a single
event, it may be worth while to see whether you can tune you rule set some
more ... ie the more efficient your rule set the better your IDS can
perform.

Andrew

-----Original Message-----
From: Ashley Thomas [mailto:athomas () unity ncsu edu]
Sent: Sunday, March 10, 2002 4:04 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Regarding IDS rules.


Hi all,

Is it possible / Is it good / to have multiple rules that might be matched
for a packet/event.

I mean, when the IDS processes the packet,i could trigger more than one
rule, right ?

Ideally that is not desired, right ?
But practically when using Snort does this happen ?

Has anyone experienced something similar ?

thanks
Ashley


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users