[Snort-users] Weird rule order problem

Martin Roesch roesch at ...1935...
Mon Sep 22 12:52:12 EDT 2003


This is probably answered in FAQ 3.16, check that out and let us know 
if that doesn't help.

      -Marty

On Friday, September 19, 2003, at 09:32  AM, Jaakko J. wrote:

> Hello!
>
> I've got several Snort boxes running with identical configuration. In
> the local.rules files I've got rules like this, in this order:
>
> alert tcp $EXTERNAL_NET any -> $UNUSED any (msg:"LOCAL TCP connection \
> to unused address"; classtype:network-scan;)
>
> alert tcp $EXTERNAL_NET any -> $UNUSED 21 (msg:"LOCAL FTP service \
> scan to unused address"; classtype:network-scan;)
>
> Now, when a TCP packet arrives to any of the unused address, port 21, 
> on
> some hosts it's rule 1 that fires, and on other hosts rule 2. I used to
> have the rules ordered other way around, so that generic detection was
> the last rule. Back then I only got alerts from the generic rule.
>
> I would ofcourse like the generic rule to fire only if none of the more
> detailed rules catches a packet. Am I doing something wrong or is there
> a bug in Snort?
>
> I'm using Snort 2.0.2 with OpenBSD 3.3. Problem was present with Snort
> 2.0.0 and 2.0.1 also.
>
> - Jaakko
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
-- 
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Enterprise-class Intrusion detection built on Snort
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-users mailing list