[Snort-users] Rule order?
trodwell at ...10764...
Wed Dec 17 12:34:00 EST 2003
I think I might be missing something basic here. I'm getting to grips with
Snort, trying out some really simple configs. I'm use to rules being run in
the sequence they appear, so I my snort.conf is currently this:-
var OUTSIDE_IF $eth0_ADDRESS
config logdir: /var/snort/log
log tcp any any -> $OUTSIDE_IF any (flags: A; ack: 0; msg: "NMAP TCP ping";)
log icmp any any -> any any (logto:"icmp.log";)
log tcp any any -> $OUTSIDE_IF any (flags: S; msg: "Possible unsolicited
log tcp any any <> $OUTSIDE_IF any (logto:"normal.log";)
log udp any any -> any any
but then the following appeared in my 'normal.log' - addresses changed to
protect the innocent :-)
12/17-13:04:32.225415 [IP-address]:50712 -> [OUTSIDE_IF]:22
TCP TTL:52 TOS:0x0 ID:57971 IpLen:20 DgmLen:48 DF
******S* Seq: 0x62D60A62 Ack: 0x0 Win: 0xC1E8 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
... which by my reckoning should have set matched rule number 3 before rule
Thanks in advance
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.551 / Virus Database: 343 - Release Date: 11/12/2003
More information about the Snort-users