Re: Post Detection Rule

[Russ <rucombs () cisco com>]

On 5/23/17 8:10 PM, tantioification . wrote:
> No, i dont have.
> I just read snort manual and it give description about post-detection rule
> options that "These options are rule spesific triggers that happen after a
> rule has "fired""
> What is it the meaning?
"Fired" means the rule "matches".  More specifically that statement 
means that the rule body options (payload and non-payload) and the rule 
header checks (nets and ports) all match and an alert would be raised.  
Most of the post-detection options are really rule actions or logging 
features.  detection_filter is a little different though as it is 
actually the final match criteria that determines whether a rule will 
fire.  If it does fire it is appropriate to evaluate the other 
post-detection options.  You wouldn't want to do something like replace 
a content if the rule doesn't actually fire.
> On May 24, 2017 5:26 AM, "Joel Esler (jesler)" <jesler () cisco com> wrote:
>
> > Example being?
> >
> >
> > *--*
> > *Joel Esler *| *Talos:* Manager | jesler () cisco com
> >
> >
> >
> >
> >
> >
> > On May 23, 2017, at 5:47 AM, tantioification . <tantio86 () gmail com> wrote:
> >
> > Hi,
> >
> > What is the meaning of "rule has fired" in post-detection rule options?
> > ------------------------------------------------------------
> > ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!