[Snort-users] Rule order?

Toby Rodwell trodwell at ...10764...
Wed Dec 17 12:34:00 EST 2003


I think I might be missing something basic here.  I'm getting to grips with
Snort, trying out some really simple configs.  I'm use to rules being run in
the sequence they appear, so I my snort.conf is currently this:-

var OUTSIDE_IF $eth0_ADDRESS
config dump_payload
config logdir: /var/snort/log
log tcp any any -> $OUTSIDE_IF any (flags: A; ack: 0; msg: "NMAP TCP ping";)
log icmp any any -> any any (logto:"icmp.log";)
log tcp any any -> $OUTSIDE_IF any (flags: S; msg: "Possible unsolicited
SYN";)
log tcp any any <> $OUTSIDE_IF any (logto:"normal.log";)
log udp any any -> any any

but then the following appeared in my 'normal.log' - addresses changed to
protect the innocent :-)

12/17-13:04:32.225415 [IP-address]:50712 -> [OUTSIDE_IF]:22
TCP TTL:52 TOS:0x0 ID:57971 IpLen:20 DgmLen:48 DF
******S* Seq: 0x62D60A62  Ack: 0x0  Win: 0xC1E8  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

... which by my reckoning should have set matched rule number 3 before rule
number 4.

Any ideas?
Thanks in advance
Toby
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.551 / Virus Database: 343 - Release Date: 11/12/2003





More information about the Snort-users mailing list