[Snort-users] Dangerous to use custom ruletypes?

Martin Olsson elof at ...6680...
Wed May 14 09:55:18 EDT 2003

Is it dangerous to use custom ruletypes?

I just discovered that when you define your own ruletypes, they are put
LAST in the chain of rules. Here is an example of the output when I run
snort with the -o option (pass rules first):

  Rule application order: ->pass->activation->dynamic->alert->log->panic

I have created a ruletype named "panic" where I have put all my critical
rules. As you can see, "panic" is placed at the end of the rule-chain.
Does this mean that if I have some more generic alert-rule that matches
the packet, it won't make it to the panic-rule?

Right now I'm using the latest snort-rules as well as my own panic-rules.
What worries me is that some of the snort-rules, say rule #1113, might
trigger on the simple pattern "../", while my panic-rule would have
triggered on the same packet. Instead of getting my own alert-message with
detailed information I just get a "WEB-MISC http directory traversal".

Say it isn't so!

(run on snort 1.9.1 on FreeBSD 4.7)

Martin Olsson
Sentor AB, Sweden

More information about the Snort-users mailing list