[Snort-users] (no subject)
juergen.anthamatten at ...158...
Wed Jun 25 08:37:03 EDT 2003
> On Tue, 24 Jun 2003, Juergen Anthamatten wrote:
> > Rule application order: alert->pass->alarm
> By default, pass rules are applied last. You need to change the order of
> the applications of rules. With custom types, they are applied last
> unless you change the order.
> You can change the order with "-o" or a config directive. If you want
> 'alarm' to go first, then you need to use the config directive :
> config order: alarm pass alert dynamic
thx for the reply.
the rule order "alert->pass->alarm" is what I want and I'm using already
"config order: alert pass alarm ..."
the problem was that for about 99% of syn-acks from 220.127.116.11
( of the form: 18.104.22.168.80 > universe.unpriv: S
the pass rule was matching and for about 1% the alarm rule.
Even if the order of "pass" and "alarm" would be wrong, 100% of the syn-acks
from 22.214.171.124:80 have to match either the pass rule or the alarm rule,
but not some the pass-rule and some the alarm-rule...
Andrew R. Baker's suggestion to use the latest version from the CVS-tree
fixed the problem....
+++ GMX - Mail, Messaging & more http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
More information about the Snort-users