[Snort-users] announcement & questions: user space firewall

Dan Hollis goemon at ...20...
Wed Nov 29 18:52:13 EST 2000


On Wed, 29 Nov 2000, Todd Lewis wrote:
> On Tue, 28 Nov 2000, Martin Roesch wrote:
> > > 5) PROPOSED CHANGES
> > >         A) MULTIPLE ACTIONS PER RULE
> > Ok, this doesn't look like it'd be too terribly hard to implement.  One
> > interesting thing to consider is the interaction that this will have with
> > Andrew Baker's multi-level alerts that will be coming out in Snort 1.7.
> Would it be the end of the world if I added this now?  I'm eager to get this
> work done.

How about multiple checks per rule, sort of like ipchains where you can
chain rules together. This could cut down on false alarms by allowing more
precise criteria for packet matching.

-Dan




More information about the Snort-users mailing list