[Snort-users] Part of traffic matching wrong rule

Erek Adams erek at ...950...
Tue Jun 24 12:23:23 EDT 2003


On Tue, 24 Jun 2003, Juergen Anthamatten wrote:

[...snip...]

> Rule application order: alert->pass->alarm

[...snip...]

By default, pass rules are applied last.  You need to change the order of
the applications of rules.  With custom types, they are applied last
unless you change the order.

You can change the order with "-o" or a config directive.  If you want
'alarm' to go first, then you need to use the config directive [0]:

	config order:  alarm pass alert dynamic

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]	http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.1.3




More information about the Snort-users mailing list