[Snort-users] Weird rule order problem

Jaakko J. jaakko at ...10131...
Sun Sep 21 08:38:37 EDT 2003


Hello!

I've got several Snort boxes running with identical configuration. In
the local.rules files I've got rules like this, in this order:

alert tcp $EXTERNAL_NET any -> $UNUSED any (msg:"LOCAL TCP connection \
to unused address"; classtype:network-scan;)

alert tcp $EXTERNAL_NET any -> $UNUSED 21 (msg:"LOCAL FTP service \
scan to unused address"; classtype:network-scan;)

Now, when a TCP packet arrives to any of the unused address, port 21, on
some hosts it's rule 1 that fires, and on other hosts rule 2. I used to
have the rules ordered other way around, so that generic detection was
the last rule. Back then I only got alerts from the generic rule.

I would ofcourse like the generic rule to fire only if none of the more
detailed rules catches a packet. Am I doing something wrong or is there
a bug in Snort?

I'm using Snort 2.0.2 with OpenBSD 3.3. Problem was present with Snort
2.0.0 and 2.0.1 also.

- Jaakko






More information about the Snort-users mailing list