Snort mailing list archives
RE: The order that rules are processed in?
From: "Paul D. Shaffer" <paulshaf () earthlink net>
Date: Sat, 1 Feb 2003 21:56:11 -0700
If you start snort with the -o options, yes - pass rules 1st... -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Schmehl, Paul L Sent: Saturday, February 01, 2003 9:23 PM To: twig les; snort-users () lists sourceforge net Subject: RE: [Snort-users] The order that rules are processed in? Thanks. What I'm trying to figure out is, if I put a pass rule for ICMP in my custom rules, will it get processed before icmp.rules does? Or will the alert rule in icmp.rules be triggered first because my local.rules are listed later in the snort.conf file. Or does snort process *all* pass rules (regardless of what file they're in) *before* it processes any alert rules? I guess what I'm trying to figure out is program flow, not within a ruleset, but for the entire list of rulesets. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/~pauls/ AVIEN Founding Member -----Original Message----- From: twig les [mailto:twigles () yahoo com] Sent: Saturday, February 01, 2003 10:06 PM To: Schmehl, Paul L; snort-users () lists sourceforge net Subject: Re: [Snort-users] The order that rules are processed in? I keep all custom rules in a file called (oddly enough) custom.rules. That way they never get overwritten when updating rules. If you write a rule with bad syntax then Snort will error and fail to start. If your syntax is right but the logic is wrong .... I don't think the order of rules files called in snort.conf is important but I could be wrong on that one. ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld =omething 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- The order that rules are processed in? Schmehl, Paul L (Feb 01)
- Re: The order that rules are processed in? twig les (Feb 01)
- <Possible follow-ups>
- RE: The order that rules are processed in? Schmehl, Paul L (Feb 01)
- RE: The order that rules are processed in? Paul D. Shaffer (Feb 01)
- Re: The order that rules are processed in? Dragos Ruiu (Feb 01)
- Re: The order that rules are processed in? Dragos Ruiu (Feb 01)
- RE: The order that rules are processed in? Schmehl, Paul L (Feb 01)
- RE: The order that rules are processed in? Rich Adamson (Feb 02)
- RE: The order that rules are processed in? Schmehl, Paul L (Feb 02)