Snort mailing list archives
Re: The order that rules are processed in?
From: Dragos Ruiu <dr () kyx net>
Date: Sat, 1 Feb 2003 19:59:54 +0000
Ooops I should read all my mail before i get snotty. :-) :-P cheers, --dr On February 1, 2003 07:58 pm, Dragos Ruiu wrote:
As i said off list... This actually IS in the faq... grep for Option Tree Nodes. It has changed a little recently tho... but the faq answer is still useful. Oh and when you give it a bad rule it will puke horribly and and complain loudly.. It might even ask you WTF? :-) :-) :-) cheers, --dr On February 2, 2003 04:22 am, Schmehl, Paul L wrote:Thanks. What I'm trying to figure out is, if I put a pass rule for ICMP in my custom rules, will it get processed before icmp.rules does? Or will the alert rule in icmp.rules be triggered first because my local.rules are listed later in the snort.conf file. Or does snort process *all* pass rules (regardless of what file they're in) *before* it processes any alert rules? I guess what I'm trying to figure out is program flow, not within a ruleset, but for the entire list of rulesets. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/~pauls/ AVIEN Founding Member -----Original Message----- From: twig les [mailto:twigles () yahoo com] Sent: Saturday, February 01, 2003 10:06 PM To: Schmehl, Paul L; snort-users () lists sourceforge net Subject: Re: [Snort-users] The order that rules are processed in? I keep all custom rules in a file called (oddly enough) custom.rules. That way they never get overwritten when updating rules. If you write a rule with bad syntax then Snort will error and fail to start. If your syntax is right but the logic is wrong .... I don't think the order of rules files called in snort.conf is important but I could be wrong on that one. ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?listort-users
-- dr () kyx net pgp: http://dragos.com/ kyxpgp http://cansecwest.com ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- The order that rules are processed in? Schmehl, Paul L (Feb 01)
- Re: The order that rules are processed in? twig les (Feb 01)
- <Possible follow-ups>
- RE: The order that rules are processed in? Schmehl, Paul L (Feb 01)
- RE: The order that rules are processed in? Paul D. Shaffer (Feb 01)
- Re: The order that rules are processed in? Dragos Ruiu (Feb 01)
- Re: The order that rules are processed in? Dragos Ruiu (Feb 01)
- RE: The order that rules are processed in? Schmehl, Paul L (Feb 01)
- RE: The order that rules are processed in? Rich Adamson (Feb 02)
- RE: The order that rules are processed in? Schmehl, Paul L (Feb 02)