Re: Just one match could cover serious attack

[John Sage <jsage () finchhaven com>]

Alvaro:

On Sun, Aug 25, 2002 at 07:43:38AM -0700, Alvaro Lillo wrote:
> I have seen that some packets that match more than
> one rule of snort only generate one alert. This
> happens because snort at the first match don`t
> continue
> comparing content. This could cover an attack
> generating only alerts of low importance. 
>  
> There`s any way for give priority to some rules over
> others (the idea is that snort first search for
> matches in some selected rules before the others)?

Other than reordering the include's in snort.conf, and/or reordering
individual rules within a given *.rules file, I don't believe there's
any way to do what you're suggesting.

And think about it: at the moment, snort stops examining a packet at
first match.

If snort was to do what you're suggesting, then snort would need to
maintain two separate states for each packet: what matches had been
found, and where in the rule parsing sequence it should resume looking
for yet another match.

Quite a bit of overhead to perform for each packet.


- John
-- 
"In those days, you could not buy a $2000 200MHz Pentium server."

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705


-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users