[Snort-users] Rule precedence / multiple matches
neil at ...1633...
Fri Apr 6 09:44:52 EDT 2001
"Scott A. McIntyre" <scott at ...1050...> wrote in response to me:
>> I can't answer you with any great authority, but it's been my experience
>> that Snort alerts on the first rule triggered. Once a packet matches a
>> rule, Snort takes whatever action is indicated by that rule and abandons
>> further interest in the packet.
>The problem that I'm trying to figure out is that if I have a rule that
>says to alert on any inbound port 515, and another which has an alert on
>port 515 with specific hex content, and a third which has port 515 with
>specific hex and ascii content, how does snort decide *which* of these
>three alerts is the first rule to get triggered?
>[ ... Snip, order doesn't matter ... ]
>[ ... Snip, neither does precision of match ... ]
I have to admit that I have no idea. I noticed the phenomenon when I was
adding local rules to an old-style ( all in one piece ) rules file and put
them at the end. I saw that some of my new rules didn't get hit when there
were others higher up in the list -- by definition -- that matched the
packet, hence my obviously too-hasty conclusion. I was also using the
observation that Snort looks at rule types in a particular order, and that
it is necessary, for instance, to tell it to act on pass rules first or
they will have no effect.
>Just a slight puzzle.
Indeed it is. I hope someone can solve it for us.
Neil Dickey, Ph.D.
Northern Illinois University
More information about the Snort-users