Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How to turn on first-match-out criteria

From: Pablo Artuso <artusopablo () gmail com>
Date: Wed, 28 May 2014 08:30:33 -0300
Hi there,

I was doing some more testing on this requirement I have, but unfortunately
I didn't arrive to anything useful.

I have read this post http://seclists.org/snort/2014/q2/546 where Joel
Esler answers a SNORT user that the order in which the rules are applied
doesn't have anything to do about SID's numbers, but it will depend on the
order in which the fast-pattern matches are found in the payload.

I'd like to understand this better, because right now I have no idea on how
to continue... in fact, I'm having two questions:

1) Is there a way to force the order in which SNORT evaluates the rules?
2) Once a rule is matched, and this rule generates an alert, is it possible
to STOP evaluating the rest of the rules?

I've been checking different keywords named in the SNORT manual and some
forums, such us: pass, noalert, flowbits, dynamic rules, activate, etc. But
none of them helped me (or at least I didn't know how to combine them
properly) to get what I need.

I think this could clarify even more my needing: Let's suppose there are
two rules (Rule A and Rule B) where both check if "Y" is present on the
packet, but rule B also check if "X" is present in the packet.
So, if I receive a packet containing "X" and "Y", I want to receive ONLY
the alert of rule B, and not the one coming from rule A.

Does anybody know how to do this? Maybe combining some other keywords?

Thanks in advance,
Pablo









2014-05-05 12:55 GMT-03:00 Pablo Artuso <artusopablo () gmail com>:


Hi, I'm using Snort 2.9 . I have been searching this for hours and didn't
found the answer (even in the archives of this list). I read that, in
previous versions, it was the default configuration.

How can I configure my Snort in order to accomplish both thing :
         - Alert when a rule match.
         - Finish. I mean, stop matching other rules.


Thank you!
Kind regards,

Pablo


------------------------------------------------------------------------------
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: