Snort mailing list archives
Re: A simple question........
From: Martin Roesch <roesch () sourcefire com>
Date: Thu, 16 Sep 2004 23:40:36 -0400
The FAQ needs to be updated....
-Marty
On Sep 14, 2004, at 10:46 PM, Jason wrote:
I believe you are noticing a difference of behavior introduces in 2.1.3 http://www.snort.org search for Snort 2.1.3 Release Candidate 1 released where it is noted that event queuing was added. Dennis George wrote:Hi Is anybody there who can solve this simple problem... Dennis Dennis George <easyeinfo () yahoo com> wrote:HiThis is an extract from snort's FAQ (www.snort.org) ========================================================== alert tcpany any -> $HOME 80 (content: "foo"; msg: "foo";) alert tcp any any -> $HOME 1:1024 (flags: S; msg: "example";) alert tcp any any -> $HOME 80 (flags: S; msg: "Port 80 SYN!";) alert tcp any any -> $HOME 80 (content: "baz"; msg: "baz";) Note that all three of the port 80 rules will be checked before the "1:1024" rule due to the order in which the applicable RTN has been created. This is because the rules parser builds the first chain header for port 80 traffic and sticks it on the rules list, then on the next rule it sees that a new chain header is required, so it gets built and put in place. In this case you would intuitively expect to get the "example" message and never see the "Port 80 SYN! ", but theopposite is true. ==========================================================So this means that snort will not check further if any of the rule is matched..... Am I correct ???? By the I am using snort 2.1.0 ..... And Is it possible in Snort 2.2.0 ..... Is it the default action in Snort 2.2.0 or do we have to do some work to enable it ???? Pedro Fortuna <pedro.fortuna () gmail com> wrote: Hello, 1) In these cases, only the highest priority rule will generate an alert. 2) I dont know the answer for sure, but my guess is: - if the two rules are equal except for the SID, you'll get two alerts - if the two rules are completly equal (SID included), you'll get an error on snort start. -Pedro FortunaEsler, Joel - Contractor" <joel.esler () rcert-s army mil> wrote: Depends on what version of Snort you are running. Apparently Snort2.2.0 alerts off of multiple rules. Joel ----- Original Message ----- From: Dennis George Date: Mon, 13 Sep 2004 02:44:08 -0700 (PDT) Subject: [Snort-users] A simple question........ To: snort-users () lists sourceforge net Hi all,I think it will be simple question............ But I am slighlty confused.......... 1) If in my rule file I have 3 rules and in a packet all the 3 rules get satisfied... do I get all the three alerts ?? 2) If I have two identical rules then does snort discard one of the rule or generate two alerts when that rule is satisfied ???thanks in advance Dennis --------------------------------- Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! --------------------------------- Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage!------------------------------------------------------- This SF.Net email is sponsored by: thawte's Crypto Challenge Vl Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam Camcorder. More prizes in the weekly Lunch Hour Challenge. Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Discover. Determine. Defend. roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- A simple question........ Dennis George (Sep 13)
- Re: A simple question........ Pedro Fortuna (Sep 13)
- Re: A simple question........ Dennis George (Sep 13)
- Re: A simple question........ Dennis George (Sep 14)
- Re: A simple question........ Jason (Sep 14)
- Re: A simple question........ Martin Roesch (Sep 16)
- Re: A simple question........ Dennis George (Sep 13)
- Re: A simple question........ Pedro Fortuna (Sep 13)
- <Possible follow-ups>
- RE: A simple question........ Esler, Joel - Contractor (Sep 13)