Snort mailing list archives
RE: Regarding IDS rules.
From: Andrew Hall <ahall () securenet com au>
Date: Mon, 11 Mar 2002 08:36:53 +1100
Snort will only inform you of the first signature that it matches. Some other IDS products, such as Dragon, will give you all signatures that match. If you do find that you are triggering multiple signatures with a single event, it may be worth while to see whether you can tune you rule set some more ... ie the more efficient your rule set the better your IDS can perform. Andrew -----Original Message----- From: Ashley Thomas [mailto:athomas () unity ncsu edu] Sent: Sunday, March 10, 2002 4:04 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Regarding IDS rules. Hi all, Is it possible / Is it good / to have multiple rules that might be matched for a packet/event. I mean, when the IDS processes the packet,i could trigger more than one rule, right ? Ideally that is not desired, right ? But practically when using Snort does this happen ? Has anyone experienced something similar ? thanks Ashley _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Regarding IDS rules. Ashley Thomas (Mar 09)
- Re: Regarding IDS rules. Dragos Ruiu (Mar 12)
- <Possible follow-ups>
- RE: Regarding IDS rules. Andrew Hall (Mar 10)