Re: Questions after 1.9.1 install

[Alberto Gonzalez <albertg () wwjh net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> But was that the *only* rule in your local.rules?

Yes it was, since that was the rule you were having problems with. 

> It's not so much that the rule doesn't work, it's that it doesn't fire
> while a more generic rules does, even when the specific rule is
> *before* the generic one (to address Erek's question..) thus:
>
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg: "TCP inbound to 445 Win2k SMB"; )
>
> comes before the generic:
>
> alert tcp $EXTERNAL_NET 1025:4320 -> $HOME_NET any (msg:"TCP inbound \
> from range 1025-4320";)

gimme a few seconds, I just woke up.. I will drop you a line once/if I 
confirm it...... damn job turned me into a vampire. 

> Does -o also re-order rules within the class "alert" in addition to
> re-ordeging the general classes?

- -o changes the rule ordering to Pass, Alert, and Log. From the default 
Alert, Pass, and Log. 

> I hadn't thought so..
>
>
>
> - John

 Cheers,
 Alberto Gonzalez

- -- 
"Success comes to the person who does today, what you are thinking of doing tomorrow." 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+c45la3vAB/3yp/IRAn/OAKDUNhKw03Av524LHni46Np3y4E+fACg0ziu
f2W+Qw+0hSIS/pFrs2qrT3g=
=6w7Q
-----END PGP SIGNATURE-----



-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users