[Snort-users] Rules ordering question.

larosa, vjay larosa_vjay at ...3331...
Tue Apr 30 20:21:10 EDT 2002


Hello,

Question about rule ordering and placement.

If I have two rules in two different rules files,

This alert is in web-iis.rules.

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Test Event 1"; flags:A+;
content:"Test Message 1"; nocase; depth: 5; classtype:misc-activity; rev:1;)

This alert is in local.rules.

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Test Event 2"; flags:A+;
content:"Test Message"; nocase; depth: 5; classtype:misc-activity; rev:1;)

The string is very similiar, but the local.rules entry is missing the number
"1" at the
end of the string. What rule would fire first? How would snort determine the
order in the chain for two very similiar rules?

NOTE: This question is specifically about similiar rules in DIFFERENT rules
files. I don't
want to just put the local.rules entry in to the web-iis.rules file above
Test Event 1 rule.


Thanks!

vjl






More information about the Snort-users mailing list