Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Trigger of multiple rules

From: "Denny Page" <denny () cococafe com>
Date: Fri, 3 Oct 2003 19:52:24 -0700
Ok, I admit: I am confused.

I have the following 2 rules:

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg: "NETBIOS access attempt";
flags:S,12; classtype: attempted-recon; sid:1000002; rev:1;)

alert tcp $EXTERNAL_NET any -> 10.10.1.1 any (msg:"Host X access attempt";
flags:S,12; classtype: attempted-recon; sid:1000999; rev:1;)

If I hit port 139 on any other host in the network, the NETBIOS access rule
triggers.  If I hit any port other than 139 on 10.10.1.1, the Host X access
rule triggers.  But if I hit port 139 on 10.10.1.1, _only_ the Host X access
rule triggers!  This behavior is quite unexpected.  Anyone have any ideas?

For reference, I'm running Snort 2.0.2 with Barnyard feeding MySQL via
unified log output.

Thanks,

Denny



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: