(no subject)

[Juergen Anthamatten <juergen.anthamatten () gmx net>]

> On Tue, 24 Jun 2003, Juergen Anthamatten wrote:
>
> [...snip...]
>
> > Rule application order: alert->pass->alarm
>
> [...snip...]
>
> By default, pass rules are applied last.  You need to change the order of
> the applications of rules.  With custom types, they are applied last
> unless you change the order.
>
> You can change the order with "-o" or a config directive.  If you want
> 'alarm' to go first, then you need to use the config directive [0]:
>
>       config order:  alarm pass alert dynamic
>
> Cheers!
thx for the reply.

the rule order "alert->pass->alarm" is what I want and I'm using already
"config order:  alert pass alarm ..."

the problem was that for about 99% of syn-acks from 64.232.48.230 
( of the form: 64.232.48.230.80 > universe.unpriv: S
2146395230:2146395230(0) ack...) 
the pass rule was matching and for about 1% the alarm rule. 
Even if the order of "pass" and "alarm" would be wrong, 100% of the syn-acks
from  64.232.48.230:80 have to match either the pass rule or the alarm rule,
but not some the pass-rule and some the alarm-rule...

Andrew R. Baker's suggestion to use the latest version from the CVS-tree 
fixed the problem....

./juergen


-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!



-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users