[Snort-users] Weird rule order problem
roesch at ...1935...
Mon Sep 22 12:52:12 EDT 2003
This is probably answered in FAQ 3.16, check that out and let us know
if that doesn't help.
On Friday, September 19, 2003, at 09:32 AM, Jaakko J. wrote:
> I've got several Snort boxes running with identical configuration. In
> the local.rules files I've got rules like this, in this order:
> alert tcp $EXTERNAL_NET any -> $UNUSED any (msg:"LOCAL TCP connection \
> to unused address"; classtype:network-scan;)
> alert tcp $EXTERNAL_NET any -> $UNUSED 21 (msg:"LOCAL FTP service \
> scan to unused address"; classtype:network-scan;)
> Now, when a TCP packet arrives to any of the unused address, port 21,
> some hosts it's rule 1 that fires, and on other hosts rule 2. I used to
> have the rules ordered other way around, so that generic detection was
> the last rule. Back then I only got alerts from the generic rule.
> I would ofcourse like the generic rule to fire only if none of the more
> detailed rules catches a packet. Am I doing something wrong or is there
> a bug in Snort?
> I'm using Snort 2.0.2 with OpenBSD 3.3. Problem was present with Snort
> 2.0.0 and 2.0.1 also.
> - Jaakko
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Enterprise-class Intrusion detection built on Snort
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-users