Re: Regarding IDS rules.

[Dragos Ruiu <dr () kyx net>]

Snort uses the first rule that triggers.
The "first" rule is consistent, but not what you
would normally expect with simple logic.  I think 
Marty wrote some messages explaining rule chains 
and option nodes a while back that may help you
understand what is the first rule checked in a chain 
a while back which a search of the archives of 
this list may turn up.

Quick version, rule chains as separate by address,
and the last rule added to the chain is the first 
checked. (or I think that's the way it worked the
last time I looked at it :-P )

cheers,
--dr

On Sun, 10 Mar 2002 00:03:51 -0500 (EST)
Ashley Thomas <athomas () unity ncsu edu> wrote:

> Hi all,
>
> Is it possible / Is it good / to have multiple rules that might be matched
> for a packet/event.
>
> I mean, when the IDS processes the packet,i could trigger more than one
> rule, right ?
>
> Ideally that is not desired, right ?
> But practically when using Snort does this happen ?
>
> Has anyone experienced something similar ?
>
> thanks
> Ashley
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users