Re: Several newbie questions

[Matt Kettler <mkettler () evi-inc com>]

At 10:42 AM 2/13/2003 -0600, Nall, Robert wrote:

> Hello all!!
>
> 1. Rules processing: If a packet sets off one rule, does the packet still 
> get processed by the other rules?

In snort 1.9.x, no one alert at most per packet.. In snort 2.x, yes.. 
Snort-ng adds this capability to snort 1.9.x, but the 1.9.x ruleset isn't 
really designed with this kind of behavior in mind.

> 2. Packet type: Does "IP" cover TCP, UDP, & ICMP or is something left out 
> that I need to include?

It should cover any packet which is IP at the network layer, regardless of 
what type of packet it is at the transport layer. So if you have a TCP/IP, 
UDP/IP or ICMP/IP packet, the IP type should match any of them. It will 
also match things like AH/IP and ESP/IP for ipsec (although it will NOT 
decrypt them), or any other protocol that runs over top of IP.

> 3. ACID w/MySQL Database: How can I get the data moved to the "archive" 
> database faster than using ACID "move" command?

I can't help you there.. I don't use acid or mysql in my config.



-------------------------------------------------------
This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your  SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users