[Snort-users] Just one match could cover serious attack
jsage at ...2022...
Sun Aug 25 13:03:02 EDT 2002
On Sun, Aug 25, 2002 at 07:43:38AM -0700, Alvaro Lillo wrote:
> I have seen that some packets that match more than
> one rule of snort only generate one alert. This
> happens because snort at the first match don`t
> comparing content. This could cover an attack
> generating only alerts of low importance.
> There`s any way for give priority to some rules over
> others (the idea is that snort first search for
> matches in some selected rules before the others)?
Other than reordering the include's in snort.conf, and/or reordering
individual rules within a given *.rules file, I don't believe there's
any way to do what you're suggesting.
And think about it: at the moment, snort stops examining a packet at
If snort was to do what you're suggesting, then snort would need to
maintain two separate states for each packet: what matches had been
found, and where in the rule parsing sequence it should resume looking
for yet another match.
Quite a bit of overhead to perform for each packet.
"In those days, you could not buy a $2000 200MHz Pentium server."
PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705
More information about the Snort-users