[Snort-users] Part of traffic matching wrong rule

Erek Adams erek at ...950...
Tue Jun 24 12:23:23 EDT 2003

On Tue, 24 Jun 2003, Juergen Anthamatten wrote:


> Rule application order: alert->pass->alarm


By default, pass rules are applied last.  You need to change the order of
the applications of rules.  With custom types, they are applied last
unless you change the order.

You can change the order with "-o" or a config directive.  If you want
'alarm' to go first, then you need to use the config directive [0]:

	config order:  alarm pass alert dynamic


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

[0]	http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.1.3

More information about the Snort-users mailing list