Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Newbie questions are as newbie questions does

From: "Michael L. Artz" <dragon () october29 net>
Date: Mon, 07 Apr 2003 22:02:07 -0400
Snort is currently "first match out" IDS, so make sure that you define your alerts by specificity in the config file. 

-Mike


Geoff Craig wrote:


Hello all,
In a “theoretical” deployment, say you had one Snort box that was monitoring traffic going to 3 boxes, 2 real web servers, and 1 honeypot. So, I have a rule that alerts on all port 80 traffic going to the honeypot, but just the web-iis.rules for the other 2 web servers. Will the rule that logs all port 80 traffic cause the web-iis.rules to not be fired when going to the honeypot? If I need to be more in depth let me know.
In other words, what happens if two rules happen to be a positive for a certain packet or stream? If only one fires how can you control which one? 

Thanks!

Geoff







-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb:
Dedicated Hosting for just $79/mo with 500 GB of bandwidth!
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: