Weird rule order problem

["Jaakko J." <jaakko () q-olio net>]

Hello!

I've got several Snort boxes running with identical configuration. In
the local.rules files I've got rules like this, in this order:

alert tcp $EXTERNAL_NET any -> $UNUSED any (msg:"LOCAL TCP connection \
to unused address"; classtype:network-scan;)

alert tcp $EXTERNAL_NET any -> $UNUSED 21 (msg:"LOCAL FTP service \
scan to unused address"; classtype:network-scan;)

Now, when a TCP packet arrives to any of the unused address, port 21, on
some hosts it's rule 1 that fires, and on other hosts rule 2. I used to
have the rules ordered other way around, so that generic detection was
the last rule. Back then I only got alerts from the generic rule.

I would ofcourse like the generic rule to fire only if none of the more
detailed rules catches a packet. Am I doing something wrong or is there
a bug in Snort?

I'm using Snort 2.0.2 with OpenBSD 3.3. Problem was present with Snort
2.0.0 and 2.0.1 also.

- Jaakko




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users