[Snort-users] (no subject)

Juergen Anthamatten juergen.anthamatten at ...158...
Wed Jun 25 08:37:03 EDT 2003


> On Tue, 24 Jun 2003, Juergen Anthamatten wrote:
> 
> [...snip...]
> 
> > Rule application order: alert->pass->alarm
> 
> [...snip...]
> 
> By default, pass rules are applied last.  You need to change the order of
> the applications of rules.  With custom types, they are applied last
> unless you change the order.
> 
> You can change the order with "-o" or a config directive.  If you want
> 'alarm' to go first, then you need to use the config directive [0]:
> 
> 	config order:  alarm pass alert dynamic
> 
> Cheers!
> 
thx for the reply.

the rule order "alert->pass->alarm" is what I want and I'm using already
"config order:  alert pass alarm ..."

the problem was that for about 99% of syn-acks from 64.232.48.230 
( of the form: 64.232.48.230.80 > universe.unpriv: S
2146395230:2146395230(0) ack...) 
the pass rule was matching and for about 1% the alarm rule. 
Even if the order of "pass" and "alarm" would be wrong, 100% of the syn-acks
from  64.232.48.230:80 have to match either the pass rule or the alarm rule,
but not some the pass-rule and some the alarm-rule...

Andrew R. Baker's suggestion to use the latest version from the CVS-tree 
fixed the problem....

./juergen


-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!





More information about the Snort-users mailing list