FW: [Snort-users] Policy-Based monitoring

Kaplan, Andrew H. AHKAPLAN at ...10063...
Thu Oct 14 14:00:08 EDT 2004

-----Original Message-----
From: Kaplan, Andrew H. 
Sent: Thursday, October 14, 2004 1:17 PM
To: 'Schott, Erik J Mr ANOSC/FCBS'
Cc: Snort User Group (E-mail)
Subject: RE: [Snort-users] Policy-Based monitoring

Hi Erik --

I did a check of the README.alert_order file but I am not sure as to how I can
change the rule application order 
from it current setting of: 
to the one I prefer which is: 

Correct me if I'm wrong, but if I'm using a policy-based.rules file shouldn't
the pass items be handled first, and
then if the packet does not match any of the pass items it should then fall
under the alert category? 

-----Original Message-----
From: Schott, Erik J Mr ANOSC/FCBS
[mailto:erik.schott-FCBS at ...12562...]
Sent: Wednesday, October 13, 2004 7:28 PM
To: Kaplan, Andrew H.
Subject: RE: [Snort-users] Policy-Based monitoring

Hi Andrew.  Where you put the rule in your snort.conf determines which rule
snort selects when it receives a matching packet.  The
snort-2.2.0/doc/README.alert_order file is where you want to look.  It
explains the rule selection algorithm fairly well.



-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Kaplan,
Andrew H.
Sent: Wednesday, October 13, 2004 5:47 AM
To: Snort User Group (E-mail)
Subject: [Snort-users] Policy-Based monitoring

Hi there --

I got Snort to operate successfully and alerts are appearing on the ACID
console. My next step is to refine the monitoring, and to that end the
that I was planning on taking was using a policy-based.rules file. I will be
modifying the snort.conf file to include the line: include

The questions I have are, does the position of the new line matter? Should I
the new line at the beginning of the include statements or after them? Also,
adding the line is there anything else that I need to do to Snort, or is
adding the above line sufficient? Thanks.

This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list