[Snort-users] Alert on more than 1 rule?

Sheahan, Paul (PCLN-NW) Paul.Sheahan at ...2218...
Mon Jun 25 13:27:08 EDT 2001


I am writing some of my own rules on my new Snort server and have a
question:

If incoming traffic matches two rules, will BOTH rules trigger an alert, or
just one? For example, there is a rule that checks for "cmd.exe" execution
on NT servers. I also created a rule that searches for the contents
"winnt/system32" to see if anyone was capable of bringing up a directory on
one of my servers. Well, an attack appeared in my logs recently that
contained "winnt/system32/cmd.exe", but only the "cmd.exe" rule was
triggered, and not my custom rule. I'm wondering if Snort is supposed to
trigger both, or just one of the rules?


Thanks,
Paul




More information about the Snort-users mailing list