[Snort-users] Rule precedence / multiple matches
Scott A. McIntyre
scott at ...1050...
Thu Apr 5 12:37:32 EDT 2001
> >same packet, but typically snort only reports on one. Is there a
> >guideline which governs how this is done?
> [ ... ]
> >I see the content there, but, the rule never gets triggered...
> I can't answer you with any great authority, but it's been my experience
> that Snort alerts on the first rule triggered. Once a packet matches a
> rule, Snort takes whatever action is indicated by that rule and abandons
> further interest in the packet.
The problem that I'm trying to figure out is that if I have a rule that
says to alert on any inbound port 515, and another which has an alert on
port 515 with specific hex content, and a third which has port 515 with
specific hex and ascii content, how does snort decide *which* of these
three alerts is the first rule to get triggered?
It doesn't seem to have much to do with the order that the rules are
read in, and I seem to recall Marty mentioned this a few weeks ago; when
the rule chains are built there's other logic going on.
It also does not appear to be on "most precise rule matches first" --
that is, four content's, flags, offset, dept, etc, doesn't match first
as compared to other rules.
Just a slight puzzle.
More information about the Snort-users