Snort mailing list archives
Re: Regarding IDS rules.
From: Dragos Ruiu <dr () kyx net>
Date: Mon, 11 Mar 2002 03:04:33 +0000
Snort uses the first rule that triggers. The "first" rule is consistent, but not what you would normally expect with simple logic. I think Marty wrote some messages explaining rule chains and option nodes a while back that may help you understand what is the first rule checked in a chain a while back which a search of the archives of this list may turn up. Quick version, rule chains as separate by address, and the last rule added to the chain is the first checked. (or I think that's the way it worked the last time I looked at it :-P ) cheers, --dr On Sun, 10 Mar 2002 00:03:51 -0500 (EST) Ashley Thomas <athomas () unity ncsu edu> wrote:
Hi all, Is it possible / Is it good / to have multiple rules that might be matched for a packet/event. I mean, when the IDS processes the packet,i could trigger more than one rule, right ? Ideally that is not desired, right ? But practically when using Snort does this happen ? Has anyone experienced something similar ? thanks Ashley _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Regarding IDS rules. Ashley Thomas (Mar 09)
- Re: Regarding IDS rules. Dragos Ruiu (Mar 12)
- <Possible follow-ups>
- RE: Regarding IDS rules. Andrew Hall (Mar 10)