[Snort-users] order of matching rules
archuatdavis at ...131...
Thu Oct 17 11:46:04 EDT 2002
When I use Snort to detect the attacks towards an IIS
server which uses the URI:
why does it raise the alert:
"WEB--IIS cmd.exe access" with sid:1002 that looks for
and not the alert:
"WEB-IIS File permission canonicalization" with
sid:981 that looks for
--- Chris Green <cmg at ...950...> wrote:
> archana rao <archuatdavis at ...131...> writes:
> > The site http://www.infosys.tuwien.ac.at/snort-ng/
> mentions that
> > "For some strange reason, Snort stops the
> detection process for a
> > packet after the first matching rule - maybe to
> improve performance"
> > while talking about snort-ng. Is this the way it
> works in
> > Snort-1.9.0 too?
> For Snort-1.9.x yes.
> For Snort-2.0, no.
> There was a first exit match strategy first. The
> strange reason was
> once you got something you care about, why bother
> keeping going on and
> let the ruleset editors worry about rule ordering.
> If you're looking at snort-ng, look at the HEAD
> snort branch too.
> You'll be pleasantly suprised if you have the
> facilities to compare
> the two.
> > In what order are the rules matched against the
> incoming packets?Is
> > it the order in which they are listed in the
> *.rules file? Archana
> Look through the mailing list archives for a
> description of the
> RTN/OTN parsing.
> Chris Green <cmg at ...1935...>
> To err is human, to moo bovine.
> This sf.net email is sponsored by: viaVerio will pay
> you up to
> $1,000 for every account that you consolidate with
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> Snort-users list archive:
Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos & More
More information about the Snort-users