[Snort-users] Regarding IDS rules.

Dragos Ruiu dr at ...381...
Tue Mar 12 19:32:07 EST 2002

Snort uses the first rule that triggers.
The "first" rule is consistent, but not what you
would normally expect with simple logic.  I think 
Marty wrote some messages explaining rule chains 
and option nodes a while back that may help you
understand what is the first rule checked in a chain 
a while back which a search of the archives of 
this list may turn up.

Quick version, rule chains as separate by address,
and the last rule added to the chain is the first 
checked. (or I think that's the way it worked the
last time I looked at it :-P )


On Sun, 10 Mar 2002 00:03:51 -0500 (EST)
Ashley Thomas <athomas at ...3539...> wrote:

> Hi all,
> Is it possible / Is it good / to have multiple rules that might be matched
> for a packet/event.
> I mean, when the IDS processes the packet,i could trigger more than one
> rule, right ?
> Ideally that is not desired, right ?
> But practically when using Snort does this happen ?
> Has anyone experienced something similar ?
> thanks
> Ashley
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list