|
Home > Archive > Snort > September 2004 > [Snort-users] A simple question........
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
[Snort-users] A simple question........
|
|
| Dennis George 2004-09-13, 7:45 am |
| --0-549016082-1095068648=:33184
Content-Type: text/plain; charset=us-ascii
Hi all,
I think it will be simple question............ But I am slighlty confused..........
1) If in my rule file I have 3 rules and in a packet all the 3 rules get satisfied... do I get all the three alerts ??
2) If I have two identical rules then does snort discard one of the rule or generate two alerts when that rule is satisfied ???
thanks in advance
Dennis
---------------------------------
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
--0-549016082-1095068648=:33184
Content-Type: text/html; charset=us-ascii
<DIV>Hi all,</DIV>
<DIV> </DIV>
<DIV>I think it will be simple question............ But I am slighlty confused..........</DIV>
<DIV> </DIV>
<DIV>1) If in my rule file I have 3 rules and in a packet all the 3 rules get satisfied... do I get all the three alerts ??</DIV>
<DIV> </DIV>
<DIV>2) If I have two identical rules then does snort discard one of the rule or generate two alerts when that rule is satisfied ???</DIV>
<DIV> </DIV>
<DIV>thanks in advance</DIV>
<DIV> </DIV>
<DIV>Dennis</DIV><p>
<hr size=1>Do you Yahoo!?<br>
<a href="http://us.rd.yahoo.com/mail_us/taglines/50x/*http://promotions.yahoo.com/new_mai...efficiency.html">Yahoo! Mail</a> - 50x more storage than other providers!
--0-549016082-1095068648=:33184--
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Pedro Fortuna 2004-09-13, 7:45 am |
| Hello,
1) In these cases, only the highest priority rule will generate an alert.
2) I dont know the answer for sure, but my guess is:
- if the two rules are equal except for the SID, you'll get two alerts
- if the two rules are completly equal (SID included), you'll get
an error on snort start.
-Pedro Fortuna
----- Original Message -----
From: Dennis George <easyeinfo@yahoo.com>
Date: Mon, 13 Sep 2004 02:44:08 -0700 (PDT)
Subject: [Snort-users] A simple question........
To: snort-users@lists.sourceforge.net
Hi all,
I think it will be simple question............ But I am slighlty
confused..........
1) If in my rule file I have 3 rules and in a packet all the 3 rules
get satisfied... do I get all the three alerts ??
2) If I have two identical rules then does snort discard one of the
rule or generate two alerts when that rule is satisfied ???
thanks in advance
Dennis
________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Esler, Joel - Contractor 2004-09-13, 7:45 am |
| This is a multi-part message in MIME format.
------_=_NextPart_001_01C4998D.B54E3407
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Depends on what version of Snort you are running. Apparently Snort
2.2.0 alerts off of multiple rules.
=20
Joel
-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Dennis
George
Sent: Monday, September 13, 2004 5:44 AM
To: snort-users@lists.sourceforge.net
Subject: [Snort-users] A simple question........
Hi all,
=20
I think it will be simple question............ But I am slighlty
confused..........
=20
1) If in my rule file I have 3 rules and in a packet all the 3 rules get
satisfied... do I get all the three alerts ??
=20
2) If I have two identical rules then does snort discard one of the rule
or generate two alerts when that rule is satisfied ???
=20
thanks in advance
=20
Dennis
_____ =20
Do you Yahoo!?
Yahoo!
<http://us.rd.yahoo.com/mail_us/tagl...otions.yahoo.co
m/new_mail/static/efficiency.html> Mail - 50x more storage than other
providers!
------_=_NextPart_001_01C4998D.B54E3407
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<TITLE>Message</TITLE>
<META content=3D"MSHTML 6.00.2800.1458" name=3DGENERATOR></HEAD>
<BODY>
<DIV><SPAN class=3D510383112-13092004><FONT face=3DArial color=3D#0000ff =
size=3D2>Depends on what version of Snort you are running. =
Apparently Snort=20
2.2.0 alerts off of multiple rules.</FONT></SPAN></DIV>
<DIV><SPAN class=3D510383112-13092004><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D510383112-13092004><FONT face=3DArial color=3D#0000ff =
size=3D2>Joel</FONT></SPAN></DIV>
<BLOCKQUOTE style=3D"MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr =
align=3Dleft><FONT=20
face=3DTahoma size=3D2>-----Original Message-----<BR><B>From:</B>=20
snort-users-admin@lists.sourceforge.net=20
[mailto:snort-users-admin@lists.sourceforge.net] <B>On Behalf Of =
</B>Dennis=20
George<BR><B>Sent:</B> Monday, September 13, 2004 5:44 =
AM<BR><B>To:</B>=20
snort-users@lists.sourceforge.net<BR><B>Subject:</B> [Snort-users] A =
simple=20
question........<BR><BR></FONT></DIV>
<DIV>Hi all,</DIV>
<DIV> </DIV>
<DIV>I think it will be simple question............ But I am slighlty=20
confused..........</DIV>
<DIV> </DIV>
<DIV>1) If in my rule file I have 3 rules and in a packet all the 3 =
rules get=20
satisfied... do I get all the three alerts ??</DIV>
<DIV> </DIV>
<DIV>2) If I have two identical rules then does snort discard one of =
the rule=20
or generate two alerts when that rule is satisfied ???</DIV>
<DIV> </DIV>
<DIV>thanks in advance</DIV>
<DIV> </DIV>
<DIV>Dennis</DIV>
<P>
<HR SIZE=3D1>
Do you Yahoo!?<BR><A=20
=
href=3D"http://us.rd.yahoo.com/mail_us/taglines/50x/*http://promotions.ya=
hoo.com/new_mail/static/efficiency.html">Yahoo!=20
Mail</A> - 50x more storage than other =
providers!</BLOCKQUOTE></BODY></HTML>
------_=_NextPart_001_01C4998D.B54E3407--
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Dennis George 2004-09-15, 9:56 am |
| --0-1892177959-1095133757=:29056
Content-Type: text/plain; charset=us-ascii
Hi
This is an extract from snort's FAQ (www.snort.org)
========================================
==================
alert tcp any any -> $HOME 80 (content: "foo"; msg: "foo";)
alert tcp any any -> $HOME 1:1024 (flags: S; msg: "example";)
alert tcp any any -> $HOME 80 (flags: S; msg: "Port 80 SYN!";)
alert tcp any any -> $HOME 80 (content: "baz"; msg: "baz";)
Note that all three of the port 80 rules will be checked before the "1:1024"
rule due to the order in which the applicable RTN has been created. This is
because the rules parser builds the first chain header for port 80 traffic and
sticks it on the rules list, then on the next rule it sees that a new chain
header is required, so it gets built and put in place. In this case you would
intuitively expect to get the "example" message and never see the "Port 80 SYN!
", but the opposite is true.
========================================
==================
So this means that snort will not check further if any of the rule is matched..... Am I correct ????
By the I am using snort 2.1.0 ..... And Is it possible in Snort 2.2.0 ..... Is it the default action in Snort 2.2.0 or do we have to do some work to enable it ????
Pedro Fortuna <pedro.fortuna@gmail.com> wrote:
Hello,
1) In these cases, only the highest priority rule will generate an alert.
2) I dont know the answer for sure, but my guess is:
- if the two rules are equal except for the SID, you'll get two alerts
- if the two rules are completly equal (SID included), you'll get
an error on snort start.
-Pedro Fortuna
Esler, Joel - Contractor" <joel.esler@rcert-s.XXXXXXXXX> wrote:
Depends on what version of Snort you are running. Apparently Snort 2.2.0 alerts off of multiple rules.
Joel
----- Original Message -----
From: Dennis George
Date: Mon, 13 Sep 2004 02:44:08 -0700 (PDT)
Subject: [Snort-users] A simple question........
To: snort-users@lists.sourceforge.net
Hi all,
I think it will be simple question............ But I am slighlty
confused..........
1) If in my rule file I have 3 rules and in a packet all the 3 rules
get satisfied... do I get all the three alerts ??
2) If I have two identical rules then does snort discard one of the
rule or generate two alerts when that rule is satisfied ???
thanks in advance
Dennis
---------------------------------
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
--0-1892177959-1095133757=:29056
Content-Type: text/html; charset=us-ascii
<DIV>Hi </DIV>
<DIV> </DIV>
<DIV>This is an extract from snort's FAQ (<A href="http://www.snort.org">www.snort.org</A> )</DIV>
<DIV> ========================================
==================</DIV>
<DIV> alert tcp any any -> $HOME 80 (content: "foo"; msg: "foo";)<BR> alert tcp any any -> $HOME 1:1024 (flags: S; msg: "example";)<BR> alert tcp any any -> $HOME 80 (flags: S; msg: "Port 80 S
YN!";)<BR> alert tcp any any -> $HOME 80 (content: "baz"; msg: "baz";)</DIV>
<DIV> </DIV>
<DIV>Note that all three of the port 80 rules will be checked before the "1:1024"<BR>rule due to the order in which the applicable RTN has been created. This is<BR>because the rules parser builds the first chain header for port 80 traffic and<BR>sticks it
on the rules list, then on the next rule it sees that a new chain<BR>header is required, so it gets built and put in place. <STRONG>In this case you would<BR>intuitively expect to get the "example" message and never see the "Port 80 SYN!<BR>", but the op
posite is true.</STRONG><BR> ========================================
==================<BR></DIV>
<DIV>So this means that snort will not check further if any of the rule is matched..... Am I correct ????</DIV>
<DIV> </DIV>
<DIV>By the I am using snort 2.1.0 ..... And Is it possible in Snort 2.2.0 ..... Is it the default action in Snort 2.2.0 or do we have to do some work to enable it ????<BR><BR><B><I>Pedro Fortuna <pedro.fortuna@gmail.com></I></B> wrote:</DIV>
<BLOCKQUOTE class=replbq style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">
<P>Hello,<BR><BR>1) In these cases, only the highest priority rule will generate an alert.<BR>2) I dont know the answer for sure, but my guess is:<BR>- if the two rules are equal except for the SID, you'll get two alerts<BR>- if the two rules are completl
y equal (SID included), you'll get<BR>an error on snort start.<BR><BR>-Pedro Fortuna<BR></P>
<P><STRONG><EM>Esler, Joel - Contractor" <joel.esler@rcert-s.XXXXXXXXX></EM></STRONG> wrote: </P>
<BLOCKQUOTE class=replbq style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">
<META content="MSHTML 6.00.2800.1458" name=GENERATOR>
<DIV><SPAN class=510383112-13092004><FONT face=Arial color=#0000ff size=2>Depends on what version of Snort you are running. Apparently Snort 2.2.0 alerts off of multiple rules.</FONT></SPAN></DIV>
<DIV><SPAN class=510383112-13092004><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=510383112-13092004><FONT face=Arial color=#0000ff size=2>Joel</FONT></SPAN></DIV></BLOCKQUOTE>
<P><BR>----- Original Message -----<BR>From: Dennis George <EASYEINFO@YAHOO.COM><BR>Date: Mon, 13 Sep 2004 02:44:08 -0700 (PDT)<BR>Subject: [Snort-users] A simple question........<BR>To: snort-users@lists.sourceforge.net<BR><BR><BR>Hi all,<BR><BR>I think
it will be simple question............ But I am slighlty<BR>confused..........<BR><BR>1) If in my rule file I have 3 rules and in a packet all the 3 rules<BR>get satisfied... do I get all the three alerts ??<BR><BR>2) If I have two identical rules then do
es snort discard one of the<BR>rule or generate two alerts when that rule is satisfied ???<BR><BR>thanks in advance<BR><BR>Dennis<BR></P></BLOCKQUOTE><p>
<hr size=1>Do you Yahoo!?<br>
<a href="http://us.rd.yahoo.com/mail_us/taglines/50x/*http://promotions.yahoo.com/new_mai...efficiency.html">Yahoo! Mail</a> - 50x more storage than other providers!
--0-1892177959-1095133757=:29056--
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Dennis George 2004-09-15, 9:56 am |
| --0-134982268-1095214993=:85371
Content-Type: text/plain; charset=us-ascii
Hi
Is anybody there who can solve this simple problem...
Dennis
Dennis George <easyeinfo@yahoo.com> wrote:Hi
This is an extract from snort's FAQ (www.snort.org)
========================================
==================
alert tcp any any -> $HOME 80 (content: "foo"; msg: "foo";)
alert tcp any any -> $HOME 1:1024 (flags: S; msg: "example";)
alert tcp any any -> $HOME 80 (flags: S; msg: "Port 80 SYN!";)
alert tcp any any -> $HOME 80 (content: "baz"; msg: "baz";)
Note that all three of the port 80 rules will be checked before the "1:1024"
rule due to the order in which the applicable RTN has been created. This is
because the rules parser builds the first chain header for port 80 traffic and
sticks it on the rules list, then on the next rule it sees that a new chain
header is required, so it gets built and put in place. In this case you would
intuitively expect to get the "example" message and never see the "Port 80 SYN!
", but the opposite is true.
========================================
==================
So this means that snort will not check further if any of the rule is matched..... Am I correct ????
By the I am using snort 2.1.0 ..... And Is it possible in Snort 2.2.0 ..... Is it the default action in Snort 2.2.0 or do we have to do some work to enable it ????
Pedro Fortuna <pedro.fortuna@gmail.com> wrote:
Hello,
1) In these cases, only the highest priority rule will generate an alert.
2) I dont know the answer for sure, but my guess is:
- if the two rules are equal except for the SID, you'll get two alerts
- if the two rules are completly equal (SID included), you'll get
an error on snort start.
-Pedro Fortuna
Esler, Joel - Contractor" <joel.esler@rcert-s.XXXXXXXXX> wrote:
Depends on what version of Snort you are running. Apparently Snort 2.2.0 alerts off of multiple rules.
Joel
----- Original Message -----
From: Dennis George
Date: Mon, 13 Sep 2004 02:44:08 -0700 (PDT)
Subject: [Snort-users] A simple question........
To: snort-users@lists.sourceforge.net
Hi all,
I think it will be simple question............ But I am slighlty
confused..........
1) If in my rule file I have 3 rules and in a packet all the 3 rules
get satisfied... do I get all the three alerts ??
2) If I have two identical rules then does snort discard one of the
rule or generate two alerts when that rule is satisfied ???
thanks in advance
Dennis
---------------------------------
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
---------------------------------
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
--0-134982268-1095214993=:85371
Content-Type: text/html; charset=us-ascii
<DIV>Hi </DIV>
<DIV>Is anybody there who can solve this simple problem...</DIV>
<DIV> </DIV>
<DIV>Dennis</DIV>
<DIV><BR><B><I>Dennis George <easyeinfo@yahoo.com></I></B> wrote:
<BLOCKQUOTE class=replbq style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">
<DIV>Hi </DIV>
<DIV> </DIV>
<DIV>This is an extract from snort's FAQ (<A href="http://www.snort.org/">www.snort.org</A> )</DIV>
<DIV> ========================================
==================</DIV>
<DIV> alert tcp any any -> $HOME 80 (content: "foo"; msg: "foo";)<BR> alert tcp any any -> $HOME 1:1024 (flags: S; msg: "example";)<BR> alert tcp any any -> $HOME 80 (flags: S; msg: "Port 80 S
YN!";)<BR> alert tcp any any -> $HOME 80 (content: "baz"; msg: "baz";)</DIV>
<DIV> </DIV>
<DIV>Note that all three of the port 80 rules will be checked before the "1:1024"<BR>rule due to the order in which the applicable RTN has been created. This is<BR>because the rules parser builds the first chain header for port 80 traffic and<BR>sticks it
on the rules list, then on the next rule it sees that a new chain<BR>header is required, so it gets built and put in place. <STRONG>In this case you would<BR>intuitively expect to get the "example" message and never see the "Port 80 SYN!<BR>", but the op
posite is true.</STRONG><BR> ========================================
==================<BR></DIV>
<DIV>So this means that snort will not check further if any of the rule is matched..... Am I correct ????</DIV>
<DIV> </DIV>
<DIV>By the I am using snort 2.1.0 ..... And Is it possible in Snort 2.2.0 ..... Is it the default action in Snort 2.2.0 or do we have to do some work to enable it ????<BR><BR><B><I>Pedro Fortuna <pedro.fortuna@gmail.com></I></B> wrote:</DIV>
<BLOCKQUOTE class=replbq style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">
<P>Hello,<BR><BR>1) In these cases, only the highest priority rule will generate an alert.<BR>2) I dont know the answer for sure, but my guess is:<BR>- if the two rules are equal except for the SID, you'll get two alerts<BR>- if the two rules are completl
y equal (SID included), you'll get<BR>an error on snort start.<BR><BR>-Pedro Fortuna<BR></P>
<P><STRONG><EM>Esler, Joel - Contractor" <joel.esler@rcert-s.XXXXXXXXX></EM></STRONG> wrote: </P>
<BLOCKQUOTE class=replbq style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">
<META content="MSHTML 6.00.2800.1458" name=GENERATOR>
<DIV><SPAN class=510383112-13092004><FONT face=Arial color=#0000ff size=2>Depends on what version of Snort you are running. Apparently Snort 2.2.0 alerts off of multiple rules.</FONT></SPAN></DIV>
<DIV><SPAN class=510383112-13092004><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=510383112-13092004><FONT face=Arial color=#0000ff size=2>Joel</FONT></SPAN></DIV></BLOCKQUOTE>
<P><BR>----- Original Message -----<BR>From: Dennis George <EASYEINFO@YAHOO.COM><BR>Date: Mon, 13 Sep 2004 02:44:08 -0700 (PDT)<BR>Subject: [Snort-users] A simple question........<BR>To: snort-users@lists.sourceforge.net<BR><BR><BR>Hi all,<BR><BR>I think
it will be simple question............ But I am slighlty<BR>confused..........<BR><BR>1) If in my rule file I have 3 rules and in a packet all the 3 rules<BR>get satisfied... do I get all the three alerts ??<BR><BR>2) If I have two identical rules then do
es snort discard one of the<BR>rule or generate two alerts when that rule is satisfied ???<BR><BR>thanks in advance<BR><BR>Dennis<BR></P></BLOCKQUOTE>
<P>
<HR SIZE=1>
Do you Yahoo!?<BR><A href="http://us.rd.yahoo.com/mail_us/taglines/50x/*http://promotions.yahoo.com/new_mai...efficiency.html">Yahoo! Mail</A> - 50x more storage than other providers!</BLOCKQUOTE></DIV><p>
<hr size=1>Do you Yahoo!?<br>
<a href="http://us.rd.yahoo.com/mail_us/taglines/100/*http://promotions.yahoo.com/new_mai...efficiency.html">New and Improved Yahoo! Mail</a> - 100MB free storage!
--0-134982268-1095214993=:85371--
-------------------------------------------------------
This SF.Net email is sponsored by: thawte's Crypto Challenge Vl
Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam
Camcorder. More prizes in the weekly Lunch Hour Challenge.
Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
|
| I believe you are noticing a difference of behavior introduces in 2.1.3
http://www.snort.org
search for Snort 2.1.3 Release Candidate 1 released
where it is noted that event queuing was added.
Dennis George wrote:
> Hi Is anybody there who can solve this simple problem...
>
> Dennis
>
> Dennis George <easyeinfo@yahoo.com> wrote:Hi
>
> This is an extract from snort's FAQ (www.snort.org)
> ========================================
================== alert tcp
> any any -> $HOME 80 (content: "foo"; msg: "foo";) alert tcp any any
> -> $HOME 1:1024 (flags: S; msg: "example";) alert tcp any any ->
> $HOME 80 (flags: S; msg: "Port 80 SYN!";) alert tcp any any -> $HOME
> 80 (content: "baz"; msg: "baz";)
>
> Note that all three of the port 80 rules will be checked before the
> "1:1024" rule due to the order in which the applicable RTN has been
> created. This is because the rules parser builds the first chain
> header for port 80 traffic and sticks it on the rules list, then on
> the next rule it sees that a new chain header is required, so it gets
> built and put in place. In this case you would intuitively expect to
> get the "example" message and never see the "Port 80 SYN! ", but the
> opposite is true.
> ========================================
==================
>
> So this means that snort will not check further if any of the rule
> is matched..... Am I correct ????
>
> By the I am using snort 2.1.0 ..... And Is it possible in Snort 2.2.0
> ..... Is it the default action in Snort 2.2.0 or do we have to do
> some work to enable it ????
>
> Pedro Fortuna <pedro.fortuna@gmail.com> wrote:
>
> Hello,
>
> 1) In these cases, only the highest priority rule will generate an
> alert. 2) I dont know the answer for sure, but my guess is: - if the
> two rules are equal except for the SID, you'll get two alerts - if
> the two rules are completly equal (SID included), you'll get an error
> on snort start.
>
> -Pedro Fortuna
>
>
> Esler, Joel - Contractor" <joel.esler@rcert-s.XXXXXXXXX> wrote:
> Depends on what version of Snort you are running. Apparently Snort
> 2.2.0 alerts off of multiple rules.
>
> Joel
>
>
> ----- Original Message ----- From: Dennis George Date: Mon, 13 Sep
> 2004 02:44:08 -0700 (PDT) Subject: [Snort-users] A simple
> question........ To: snort-users@lists.sourceforge.net
>
>
> Hi all,
>
> I think it will be simple question............ But I am slighlty
> confused..........
>
> 1) If in my rule file I have 3 rules and in a packet all the 3 rules
> get satisfied... do I get all the three alerts ??
>
> 2) If I have two identical rules then does snort discard one of the
> rule or generate two alerts when that rule is satisfied ???
>
> thanks in advance
>
> Dennis
>
>
>
> --------------------------------- Do you Yahoo!? Yahoo! Mail - 50x
> more storage than other providers!
>
> --------------------------------- Do you Yahoo!? New and Improved
> Yahoo! Mail - 100MB free storage!
-------------------------------------------------------
This SF.Net email is sponsored by: thawte's Crypto Challenge Vl
Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam
Camcorder. More prizes in the weekly Lunch Hour Challenge.
Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
|
|
|
|
|