[Snort-users] order of matching rules

archana rao archuatdavis at ...131...
Thu Oct 17 11:46:04 EDT 2002


When I use Snort to detect the attacks towards an IIS
server which uses the URI:
GET /scripts/..%c0%af../winnt/system32/cmd.exe/c+"
why does it raise the alert:
"WEB--IIS cmd.exe access" with sid:1002 that looks for
content:"cmd.exe"
and not the alert:
"WEB-IIS File permission canonicalization" with
sid:981 that looks for
uricontent:"/scripts/..%c0%af../"?
Archana

--- Chris Green <cmg at ...950...> wrote:
> archana rao <archuatdavis at ...131...> writes:
> 
> > The site http://www.infosys.tuwien.ac.at/snort-ng/
> mentions that
> > "For some strange reason, Snort stops the
> detection process for a
> > packet after the first matching rule - maybe to
> improve performance"
> > while talking about snort-ng. Is this the way it
> works in
> > Snort-1.9.0 too?
> 
> For Snort-1.9.x yes.
> 
> For Snort-2.0, no.
> 
> There was a first exit match strategy first.  The
> strange reason was
> once you got something you care about, why bother
> keeping going on and
> let the ruleset editors worry about rule ordering.
> 
> If you're looking at snort-ng, look at the HEAD
> snort branch too.
> You'll be pleasantly suprised if you have the
> facilities to compare
> the two.
> 
> > In what order are the rules matched against the
> incoming packets?Is
> > it the order in which they are listed in the
> *.rules file?  Archana
> 
> Look through the mailing list archives for a
> description of the
> RTN/OTN parsing.
> -- 
> Chris Green <cmg at ...1935...>
> To err is human, to moo bovine.
> 
> 
>
-------------------------------------------------------
> This sf.net email is sponsored by: viaVerio will pay
> you up to
> $1,000 for every account that you consolidate with
> us.
> http://ad.doubleclick.net/clk;4749864;7604308;v?
> http://www.viaverio.com/consolidator/osdn.cfm
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users


__________________________________________________
Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos & More
http://faith.yahoo.com




More information about the Snort-users mailing list