[Snort-users] Just one match could cover serious attack

John Sage jsage at ...2022...
Sun Aug 25 13:03:02 EDT 2002


On Sun, Aug 25, 2002 at 07:43:38AM -0700, Alvaro Lillo wrote:
> I have seen that some packets that match more than
> one rule of snort only generate one alert. This
> happens because snort at the first match don`t
> continue
> comparing content. This could cover an attack
> generating only alerts of low importance. 
> There`s any way for give priority to some rules over
> others (the idea is that snort first search for
> matches in some selected rules before the others)?

Other than reordering the include's in snort.conf, and/or reordering
individual rules within a given *.rules file, I don't believe there's
any way to do what you're suggesting.

And think about it: at the moment, snort stops examining a packet at
first match.

If snort was to do what you're suggesting, then snort would need to
maintain two separate states for each packet: what matches had been
found, and where in the rule parsing sequence it should resume looking
for yet another match.

Quite a bit of overhead to perform for each packet.

- John
"In those days, you could not buy a $2000 200MHz Pentium server."

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705

More information about the Snort-users mailing list