[Snort-users] Regarding IDS rules.

Andrew Hall ahall at ...5276...
Sun Mar 10 20:59:04 EST 2002


Snort will only inform you of the first signature that it matches.  Some
other IDS products, such as Dragon, will give you all signatures that match.

If you do find that you are triggering multiple signatures with a single
event, it may be worth while to see whether you can tune you rule set some
more ... ie the more efficient your rule set the better your IDS can
perform.

Andrew

-----Original Message-----
From: Ashley Thomas [mailto:athomas at ...3539...]
Sent: Sunday, March 10, 2002 4:04 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Regarding IDS rules.


Hi all,

Is it possible / Is it good / to have multiple rules that might be matched
for a packet/event.

I mean, when the IDS processes the packet,i could trigger more than one
rule, right ?

Ideally that is not desired, right ?
But practically when using Snort does this happen ?

Has anyone experienced something similar ?

thanks
Ashley


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list