[Snort-users] Rule precedence / multiple matches

Steve Halligan agent33 at ...187...
Fri Apr 6 13:55:28 EDT 2001

Marty went through this in detail at CanSecWest...maybe he can restate what
he said there, but essentially:

1)  The first rule match exits.
2)  Rules are grouped by the rule parser in order to do matches faster (ie.
TCP rule grouped together, dest port 80 grouped within that, grouped by
flags, etc etc)
3)  This grouping order has very little to do with the order rules appear in
the rule file.
4)  The most important thing is, that if a packet matches a rule (be it one
rule or many), is that the packet gets logged.  Once logged, we can do more
investigation whether it triggered rule "a" or rule "b".
5)  Some things you can do to provide more specific rule matching (I am not
gonna go into detail here)
	a)  Define different rule types.  Rule types are executed in the
order they were defined (ie
default=alert->pass->log->custom#1->custom#2->etc)  You can change this
order and create a rule type (eg "red_alert") with the rules you want
processed first.
	b)  implement some sort of rule priority system.
	c)  Change the way snort works so you get matches for all rules and
not just the first one.

Any questions?  Well don't ask me, 'cause this is all I know :)


> -----Original Message-----
> From: Neil Dickey [mailto:neil at ...1633...]
> Sent: Friday, April 06, 2001 8:45 AM
> To: scott at ...1050...
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Rule precedence / multiple matches
> "Scott A. McIntyre" <scott at ...1050...> wrote in response to me:
> >> I can't answer you with any great authority, but it's been 
> my experience
> >> that Snort alerts on the first rule triggered.  Once a 
> packet matches a
> >> rule, Snort takes whatever action is indicated by that 
> rule and abandons
> >> further interest in the packet.
> >
> >The problem that I'm trying to figure out is that if I have 
> a rule that
> >says to alert on any inbound port 515, and another which has 
> an alert on
> >port 515 with specific hex content, and a third which has 
> port 515 with
> >specific hex and ascii content, how does snort decide 
> *which* of these
> >three alerts is the first rule to get triggered?
> >
> >[ ... Snip, order doesn't matter ... ]
> >
> >[ ... Snip, neither does precision of match ... ]
> I have to admit that I have no idea.  I noticed the 
> phenomenon when I was
> adding local rules to an old-style ( all in one piece ) rules 
> file and put
> them at the end.  I saw that some of my new rules didn't get 
> hit when there
> were others higher up in the list -- by definition -- that matched the
> packet, hence my obviously too-hasty conclusion.  I was also using the
> observation that Snort looks at rule types in a particular 
> order, and that
> it is necessary, for instance, to tell it to act on pass 
> rules first or
> they will have no effect.
> >Just a slight puzzle.
> Indeed it is.  I hope someone can solve it for us.
> Best regards,
> Neil Dickey, Ph.D.
> Research Associate/Sysop
> Geology Department
> Northern Illinois University
> DeKalb, Illinois
> 60115
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list