[Snort-sigs] A question about Snort's rules

benoni.martin at ...406... benoni.martin at ...406...
Mon Mar 4 07:01:10 EST 2002

Hi everybody!
I  am  working  on  Snort  since  a  fortnight now, I have been reading the
Snort's  manual  and  the  Faqs,  but  I  am  not  sure of the reply of the
following question :
I  would  like  to define in a first rule a sort of attack (for example the
famous Speedera type), and in a second one, I'd like to apply a rule like a
"pass"  one  to  disable any alert on this sort of attack. But how can I be
sure  that  the  first  rule  will be read first and the second one will be
applied  having  in mind (well in Snort's mind! ). In other words how can I
be  sure  of  the  transitivity  between  the  two rules? I think that just
putting the first one before the secobnd one will be enough, but well, I am
not sure!
And if that way is wrong, how could I deal with this?
Thanks by advance!

Ce message et toutes les pieces jointes (ci-apres le "message") sont
confidentiels et etablis a l'intention exclusive de ses destinataires.
Toute utilisation ou diffusion non autorisee est interdite. 
Tout message electronique est susceptible d'alteration. 
La SOCIETE GENERALE et ses filiales declinent toute responsabilite au 
titre de ce message s'il a ete altere, deforme ou falsifie.
This message and any attachments (the "message") are confidential and
intended solely for the addressees.
Any unauthorised use or dissemination is prohibited. 
E-mails are susceptible to alteration.   
Neither SOCIETE GENERALE nor any of its subsidiaries or affiliates 
shall be liable for the message if altered, changed or falsified. 


More information about the Snort-sigs mailing list