[Snort-users] ruleset priority

Brian D. Hamm brian.hamm at ...11623...
Mon Apr 12 06:32:12 EDT 2004


Why does the less specific rule continue to fire over the rule with a
specific destination IP address set? I have tried switching the order,
moving the 8.8.8.8 rule to local.rules, and even tried adding a  /32 but
the more generic any any -> any 69 continues to fire.  The only way I
cat get the 8.8.8.8 rule to fire is to change the more generic rule to
any any -> any 70.  It does fire then so I know the rule is valid.

alert udp any any -> 8.8.8.8 69 (msg:"TFTP 8888 GET"; content:"|00 01|";
offset:0; depth:2; classtype:not-suspicious; sid:1444; rev:2;)
alert udp any any -> any 69 (msg:"TFTP Z Get"; content:"|00 01|";
offset:0; depth:2; classtype:bad-unknown; sid:1444; rev:2;)

I read the README.

Thanks,

Brian 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3036 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040412/e404bbca/attachment.bin>


More information about the Snort-users mailing list