[Snort-users] Rule precedence / multiple matches
Scott A. McIntyre
scott at ...1050...
Thu Apr 5 00:14:49 EDT 2001
I've noticed that there are some rules which could/should all match the
same packet, but typically snort only reports on one. Is there a
guideline which governs how this is done?
For example, the X86 no-ops rule that catches a lot of the lpd format
string overflows at the moment does not trigger an equal number of
inbound port 515 rules, or rules which match specific other content in
I see the content there, but, the rule never gets triggered...
More information about the Snort-users