Re: The order that rules are processed in?

[twig les <twigles () yahoo com>]

I keep all custom rules in a file called (oddly
enough) custom.rules.  That way they never get
overwritten when updating rules.  If you write a rule
with bad syntax then Snort will error and fail to
start.  If your syntax is right but the logic is wrong
....  I don't think the order of rules files called in
snort.conf is important but I could be wrong on that
one.

--- "Schmehl, Paul L" <pauls () utdallas edu> wrote:
> Before you groan and point me to the FAQ and
> archives, I've been looking
> for these for a while, and I've already been through
> the FAQ and the
> archives.... :-)
>
> I just installed Version 1.9.0 (Build 209) on a
> FreeBSD 4.7 box (from
> the ports, not compiled from source on snort.org)
> logging to mysql and
> using ACID to view (works great, btw).  Thanks to
> Keith Tokash for a
> great installation guide!  I only had a couple of
> problems due to
> changes between FreeBSD 4.6 and 4.7, but nothing
> major.
>
> I'm trying to find out in what order snort processes
> the rules.  Is it
> in the order that they are listed in snort.conf? 
> Right now I'm writing
> pass rules (using vars for specific hosts - like
> this - var
> ICMP_DEST_UNRCH [x.x.x.x,x.x.x.x]) to get rid of
> alerts for things we
> don't want to see from specific hosts (we know the
> router is going to
> spew these, for example.)  I'm putting the pass
> rules at the beginning
> of the rule file (like icmp.rules) and I'm starting
> snort with the -o
> switch to process the pass rules first
>
> My edits of these files will get overwritten when I
> update, right?  If I
> knew local.rules was processed first by placing it
> first in the
> snort.conf file, I'd put these in there and move it
> to the top of the
> list, and then I'd put all my pass rules in
> local.rules.  Does it matter
> where local.rules is in snort.conf?
>
> Also, if you create a bad rule (improper syntax,
> misspelled args, etc.,
> does snort log that anywhere?  Will it even start if
> a rule is written
> incorrectly?  Will it ignore the bad rule?
>
> Paul Schmehl (pauls () utdallas edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> http://www.utdallas.edu/~pauls/
> AVIEN Founding Member
-------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld =
> Something 2 See!
> http://www.vasoftware.com
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or
> unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
Know yourself and know your enemy and you will never fear defeat.         
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users