[Snort-users] Rule precedence / multiple matches

Scott A. McIntyre scott at ...1050...
Thu Apr 5 12:37:32 EDT 2001


> >same packet, but typically snort only reports on one.  Is there a
> >guideline which governs how this is done?  
> [ ... ]
> >I see the content there, but, the rule never gets triggered...
> 
> I can't answer you with any great authority, but it's been my experience
> that Snort alerts on the first rule triggered.  Once a packet matches a
> rule, Snort takes whatever action is indicated by that rule and abandons
> further interest in the packet.
> 

The problem that I'm trying to figure out is that if I have a rule that
says to alert on any inbound port 515, and another which has an alert on
port 515 with specific hex content, and a third which has port 515 with
specific hex and ascii content, how does snort decide *which* of these
three alerts is the first rule to get triggered?

It doesn't seem to have much to do with the order that the rules are
read in, and I seem to recall Marty mentioned this a few weeks ago; when
the rule chains are built there's other logic going on.

It also does not appear to be on "most precise rule matches first" --
that is, four content's, flags, offset, dept, etc, doesn't match first
as compared to other rules.

Just a slight puzzle.





More information about the Snort-users mailing list