Snort mailing list archives
Re: Several newbie questions
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 13 Feb 2003 13:24:11 -0500
At 10:42 AM 2/13/2003 -0600, Nall, Robert wrote:
Hello all!!1. Rules processing: If a packet sets off one rule, does the packet still get processed by the other rules?
In snort 1.9.x, no one alert at most per packet.. In snort 2.x, yes.. Snort-ng adds this capability to snort 1.9.x, but the 1.9.x ruleset isn't really designed with this kind of behavior in mind.
2. Packet type: Does "IP" cover TCP, UDP, & ICMP or is something left out that I need to include?
It should cover any packet which is IP at the network layer, regardless of what type of packet it is at the transport layer. So if you have a TCP/IP, UDP/IP or ICMP/IP packet, the IP type should match any of them. It will also match things like AH/IP and ESP/IP for ipsec (although it will NOT decrypt them), or any other protocol that runs over top of IP.
3. ACID w/MySQL Database: How can I get the data moved to the "archive" database faster than using ACID "move" command?
I can't help you there.. I don't use acid or mysql in my config. ------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Several newbie questions Nall, Robert (Feb 13)
- <Possible follow-ups>
- Re: Several newbie questions Matt Kettler (Feb 13)