[Snort-users] Rules: flags burp using 2.0.2?
mkettler at ...4108...
Mon Sep 22 08:38:07 EDT 2003
At 08:31 PM 9/21/2003, John Sage wrote:
>Rather than picking up these, it drops through to the generic TCP:135
>rule I've got, which confuses what I'm trying to do...
>Wha' happen' between 1.9.1 and here, flags-wise?
That sounds more like a rule-ordering difference than anything else. Snort
does not necessarily process rules in the same order that they appear in
your rule files, although that is somewhat of a factor.
Now, I do recall someone claiming that 2.x was going to change rule
processing so that every rule that matched a given packet would fire. This
would lead to a single packet triggering both of your rules. However, I
don't know if this made it into the final 2.x, and the behavior you are
seeing would seem to indicate that it did not.
You might try disabling your generic rule, and see if the flag ones start
firing off. If the do, it's probably a rule order thing.
More information about the Snort-users