[Snort-users] Rule precedence / multiple matches

Neil Dickey neil at ...1633...
Thu Apr 5 10:08:34 EDT 2001


"Scott A. McIntyre" <scott at ...1050...> wrote asking:

>I've noticed that there are some rules which could/should all match the
>same packet, but typically snort only reports on one.  Is there a
>guideline which governs how this is done?  
[ ... ]
>I see the content there, but, the rule never gets triggered...

I can't answer you with any great authority, but it's been my experience
that Snort alerts on the first rule triggered.  Once a packet matches a
rule, Snort takes whatever action is indicated by that rule and abandons
further interest in the packet.

Realistically, and if I've got it right, this is a good thing because to
alert on every rule a packet might match, requiring a complete search of
the rule list for every packet, would slow things down considerably.  One
could actually take advantage of this behavior, I suppose, by putting rules
that are frequently triggered at the head of the rule list -- like the
world-famous "Destination Unreachable" rule.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Davis Hall 312
Northern Illinois University
DeKalb, Illinois
60115




More information about the Snort-users mailing list