[Snort-users] Rules: flags burp using 2.0.2?
jsage at ...2022...
Mon Sep 22 11:17:12 EDT 2003
On Mon, Sep 22, 2003 at 11:36:36AM -0400, Matt Kettler wrote:
> tatus: RO
> Content-Length: 1352
> Lines: 34
> At 08:31 PM 9/21/2003, John Sage wrote:
> >Rather than picking up these, it drops through to the generic TCP:135
> >rule I've got, which confuses what I'm trying to do...
> >Wha' happen' between 1.9.1 and here, flags-wise?
> That sounds more like a rule-ordering difference than anything else. Snort
> does not necessarily process rules in the same order that they appear in
> your rule files, although that is somewhat of a factor.
That brings back a faint memory from about 1.8.7 or so, methinks..
> Now, I do recall someone claiming that 2.x was going to change rule
> processing so that every rule that matched a given packet would fire. This
> would lead to a single packet triggering both of your rules. However, I
> don't know if this made it into the final 2.x, and the behavior you are
> seeing would seem to indicate that it did not.
> You might try disabling your generic rule, and see if the flag ones start
> firing off. If the do, it's probably a rule order thing.
I'll try this (in fact it's live, right now...) and see what happens.
Thanks.. (BTW: still dunno about that blocking deal...)
"Warning: time of day goes back, taking countermeasures."
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
ATTENTION: this message is privileged communication. If you read it
even though you aren't supposed to, you're a poopy-head.
More information about the Snort-users