[Snort-users] Newbie questions are as newbie questions does
Michael L. Artz
dragon at ...8731...
Mon Apr 7 19:14:04 EDT 2003
Snort is currently "first match out" IDS, so make sure that you define
your alerts by specificity in the config file.
Geoff Craig wrote:
> Hello all,
> In a “theoretical” deployment, say you had one Snort box that was
> monitoring traffic going to 3 boxes, 2 real web servers, and 1
> honeypot. So, I have a rule that alerts on all port 80 traffic going
> to the honeypot, but just the web-iis.rules for the other 2 web
> servers. Will the rule that logs all port 80 traffic cause the
> web-iis.rules to not be fired when going to the honeypot? If I need to
> be more in depth let me know.
> In other words, what happens if two rules happen to be a positive for
> a certain packet or stream? If only one fires how can you control
> which one?
More information about the Snort-users