[Snort-users] Rule precedence / multiple matches

Neil Dickey neil at ...1633...
Fri Apr 6 09:44:52 EDT 2001


"Scott A. McIntyre" <scott at ...1050...> wrote in response to me:

>> I can't answer you with any great authority, but it's been my experience
>> that Snort alerts on the first rule triggered.  Once a packet matches a
>> rule, Snort takes whatever action is indicated by that rule and abandons
>> further interest in the packet.
>
>The problem that I'm trying to figure out is that if I have a rule that
>says to alert on any inbound port 515, and another which has an alert on
>port 515 with specific hex content, and a third which has port 515 with
>specific hex and ascii content, how does snort decide *which* of these
>three alerts is the first rule to get triggered?
>
>[ ... Snip, order doesn't matter ... ]
>
>[ ... Snip, neither does precision of match ... ]

I have to admit that I have no idea.  I noticed the phenomenon when I was
adding local rules to an old-style ( all in one piece ) rules file and put
them at the end.  I saw that some of my new rules didn't get hit when there
were others higher up in the list -- by definition -- that matched the
packet, hence my obviously too-hasty conclusion.  I was also using the
observation that Snort looks at rule types in a particular order, and that
it is necessary, for instance, to tell it to act on pass rules first or
they will have no effect.

>Just a slight puzzle.

Indeed it is.  I hope someone can solve it for us.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115






More information about the Snort-users mailing list