[Snort-users] Newbie questions are as newbie questions does

Michael L. Artz dragon at ...8731...
Mon Apr 7 19:14:04 EDT 2003


Snort is currently "first match out" IDS, so make sure that you define 
your alerts by specificity in the config file.

-Mike


Geoff Craig wrote:

> Hello all,
>
> In a “theoretical” deployment, say you had one Snort box that was 
> monitoring traffic going to 3 boxes, 2 real web servers, and 1 
> honeypot. So, I have a rule that alerts on all port 80 traffic going 
> to the honeypot, but just the web-iis.rules for the other 2 web 
> servers. Will the rule that logs all port 80 traffic cause the 
> web-iis.rules to not be fired when going to the honeypot? If I need to 
> be more in depth let me know.
>
> In other words, what happens if two rules happen to be a positive for 
> a certain packet or stream? If only one fires how can you control 
> which one?
>
> Thanks!
>
> Geoff
>







More information about the Snort-users mailing list