[Snort-users] Rule precedence / multiple matches
neil at ...1633...
Thu Apr 5 10:08:34 EDT 2001
"Scott A. McIntyre" <scott at ...1050...> wrote asking:
>I've noticed that there are some rules which could/should all match the
>same packet, but typically snort only reports on one. Is there a
>guideline which governs how this is done?
[ ... ]
>I see the content there, but, the rule never gets triggered...
I can't answer you with any great authority, but it's been my experience
that Snort alerts on the first rule triggered. Once a packet matches a
rule, Snort takes whatever action is indicated by that rule and abandons
further interest in the packet.
Realistically, and if I've got it right, this is a good thing because to
alert on every rule a packet might match, requiring a complete search of
the rule list for every packet, would slow things down considerably. One
could actually take advantage of this behavior, I suppose, by putting rules
that are frequently triggered at the head of the rule list -- like the
world-famous "Destination Unreachable" rule.
Neil Dickey, Ph.D.
Davis Hall 312
Northern Illinois University
More information about the Snort-users