[Snort-users] Alert on more than 1 rule?

Joe McAlerney joey at ...47...
Mon Jun 25 14:58:12 EDT 2001

When rules are linked off the same option tree node, they are triggered
on a first come - first serve basis.  What ever one appears first in the
file will be triggered first.  This is why it is often good to place the
most specific rules above the more general ones.  Think of it as "Look
for these long specific strings with ../.. in them, but if all else
fails, we'll be satisfied with anything with ../.. in it".

Marty wrote a good explanation of how Snort rules are arranged under

Hope this helps,

-Joe M.

|   Joe McAlerney     joey at ...155...   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+

"Sheahan, Paul (PCLN-NW)" wrote:
> I am writing some of my own rules on my new Snort server and have a
> question:
> If incoming traffic matches two rules, will BOTH rules trigger an alert, or
> just one? For example, there is a rule that checks for "cmd.exe" execution
> on NT servers. I also created a rule that searches for the contents
> "winnt/system32" to see if anyone was capable of bringing up a directory on
> one of my servers. Well, an attack appeared in my logs recently that
> contained "winnt/system32/cmd.exe", but only the "cmd.exe" rule was
> triggered, and not my custom rule. I'm wondering if Snort is supposed to
> trigger both, or just one of the rules?
> Thanks,
> Paul
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list