[Snort-users] Rules order

Fermin Galan Marquez galan at ...3803...
Sat Oct 13 15:49:06 EDT 2001


Hello everyone.

I need to know some details of rules behavior.

When a packet match two o more log rules, one more
specific than the others, what rules take
preference logging the packet?

For example, if I have this two rules in my snort.conf:

	log tcp any any <> any 80 (msg: "Web traffic"; logto: "web.log";)
	log ip any any -> any any (logto: "flow.log";)

and a TCP segment to port 80 arrives to my interface, in
which file would be logged: web.log, flow.log or both?

Thanks for your time.

------------
Fermín Galán
galan at ...3803...
http://www.dit.upm.es/~galan





More information about the Snort-users mailing list