[Snort-users] Meaning of priority?

carold at ...158... carold at ...158...
Fri Jul 5 09:57:05 EDT 2002


RTFM says that "The priority tag assigns a severity level to rules."
However, could somebody explain what is the functional meaning? I have verified that
it is not *processing* priority.

Is it just a tag for the output processing? If yes, is it not illogical that
processing priority can contradict output priority, such as:

alert tcp any any -> $mynet 80 (msg:"web access"; priority:3;)
alert tcp any any -> $secrethost any (msg:"nobody should go there";
priority:1);

In the example above, web traffic to $secrethost will be logged as priority
3 even though any traffic to this particular destination should be priority
1.

Somebody could suggest that I can just swap the two rules and everything
will be fine. I would agree with this particular case but not in general.
Default snort rule blocks are arranged by topic (web, dns, etc.), not by priority,
so it is common that less severe rules might get triggered before more severe
for the same event.

TIA


-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net





More information about the Snort-users mailing list