[Snort-users] Newbie questions are as newbie questions does

Erek Adams erek at ...950...
Tue Apr 8 08:10:05 EDT 2003

On Mon, 7 Apr 2003, Geoff Craig wrote:

> In a "theoretical" deployment, say you had one Snort box that was
> monitoring traffic going to 3 boxes, 2 real web servers, and 1 honeypot.
> So, I have a rule that alerts on all port 80 traffic going to the
> honeypot, but just the web-iis.rules for the other 2 web servers.  Will
> the rule that logs all port 80 traffic cause the web-iis.rules to not be
> fired when going to the honeypot?  If I need to be more in depth let me
> know.
> In other words, what happens if two rules happen to be a positive for a
> certain packet or stream?  If only one fires how can you control which
> one?

If you're going to 'log' all traffic going to port 80 on your honeypot,
I'd suggest using Tcpdump instead of Snort.  If all you want is to log
packets, there's no real need to use the extra overhead of Snort.
Granted, you'll need to change the snaplen with Tcpdump to get the entire
packet.  That would eliminate the overhead of the rule engine and such.


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-users mailing list