[Snort-users] Newbie questions are as newbie questions does

Geoff Craig GCraig at ...8687...
Mon Apr 7 13:17:07 EDT 2003


Hello all,
 
In a "theoretical" deployment, say you had one Snort box that was
monitoring traffic going to 3 boxes, 2 real web servers, and 1 honeypot.
So, I have a rule that alerts on all port 80 traffic going to the
honeypot, but just the web-iis.rules for the other 2 web servers.  Will
the rule that logs all port 80 traffic cause the web-iis.rules to not be
fired when going to the honeypot?  If I need to be more in depth let me
know.
 
In other words, what happens if two rules happen to be a positive for a
certain packet or stream?  If only one fires how can you control which
one?
 
Thanks!
 
Geoff 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030407/82f97323/attachment.html>


More information about the Snort-users mailing list