[Snort-sigs] Reporting multiple signatures for same packet?

Glenn Larsson ichinin at ...561...
Fri Apr 26 17:05:03 EDT 2002


Hi.

Is it possible to log all the matching content into a logfile?

Suppose you have 2 different rules:

1) Less important signature
	... UriContent:"\virtualroot\"; ... ; msg:"Msg-A";
2) Critical signature
	... UriContent:"exploit"; ... msg:"Msg-B";

The logfile should read:

[**] ... Msg-A [**]
[**] ... Msg-B [**]
(... and the rest of the log entry)

__or__

[**] ... Msg-A [**]
(+rest of log entry)

[**] ... Msg-B [**]
(+rest of log entry)

Problem:

When snort recieve "\virtualroot\exploit" the first rule takes
precedence, get's logged and the second signature get dropped.

The only way to get "exploit" logged is to change the order, but like
with the other order, the second signature is ignored/dropped.

Anyone have a solution for this?

TIA,
Glenn




More information about the Snort-sigs mailing list