Snort mailing list archives
Another Snort Rules Question
From: "Scott Elgram" <SElgram () verifpoint com>
Date: Tue, 7 Sep 2004 16:38:31 -0700
Hello again,
I have 2 rules....(yes this is pointless and bad practice, I know, just bare with me here).
alert icmp 192.168.0.31 any -> 192.168.0.240 any (msg: "Test ICMP ping 1";)
alert icmp 192.168.0.31 any -> 192.168.0.240 any (msg: "Test ICMP ping 2";)
Ok, I am 192.168.31 and I ping 192.168.0.240........In ACID I get 2 alerts. One for msg: "Test ICMP ping 1" and
one for "Test ICMP ping 2". Now, I could be wrong here but I thought after a packet is shown true to a rule Snort
stops comparing the packet to rules.
-Scott
Current thread:
- Another Snort Rules Question Scott Elgram (Sep 07)
- Re: Another Snort Rules Question Erik Fichtner (Sep 07)
- Re: Another Snort Rules Question Scott Elgram (Sep 08)
- Re: Another Snort Rules Question Erik Fichtner (Sep 08)
- ADDENDUM: Re: Another Snort Rules Question Erik Fichtner (Sep 08)
- Re: Another Snort Rules Question Scott Elgram (Sep 08)
- Re: Another Snort Rules Question Erik Fichtner (Sep 07)