[Snort-users] Rule precedence / multiple matches

Martin Roesch roesch at ...421...
Fri Apr 6 23:34:48 EDT 2001


Snort bails out of the detection engine on the first rule it hits for a
given packet, this is a performance enhancement.  My rationale for doing
this is that once the packet is collected, a good analyst will be able
to see any other fishy aspects of the packet as well.

Rule precedence has been spelled out several times on this list, check
the archives (I know I posted the rule ordering doc about a month ago on
this list).  If you'd like me to post it again, I'll put it up.

    -Marty

"Scott A. McIntyre" wrote:
> 
> Hi,
> 
> I've noticed that there are some rules which could/should all match the
> same packet, but typically snort only reports on one.  Is there a
> guideline which governs how this is done?
> 
> For example, the X86 no-ops rule that catches a lot of the lpd format
> string overflows at the moment does not trigger an equal number of
> inbound port 515 rules, or rules which match specific other content in
> those packets.
> 
> I see the content there, but, the rule never gets triggered...
> 
> Scott
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list