[Snort-users] Another Snort Rules Question

Scott Elgram SElgram at ...10477...
Tue Sep 7 16:39:23 EDT 2004


Hello again,
    I have 2 rules....(yes this is pointless and bad practice, I know, just bare with me here).

alert icmp 192.168.0.31 any -> 192.168.0.240 any (msg: "Test ICMP ping 1";)
alert icmp 192.168.0.31 any -> 192.168.0.240 any (msg: "Test ICMP ping 2";)

    Ok, I am 192.168.31 and I ping 192.168.0.240........In ACID I get 2 alerts.  One for msg: "Test ICMP ping 1" and one for "Test ICMP ping 2".  Now, I could be wrong here but I thought after a packet is shown true to a rule Snort stops comparing the packet to rules.

-Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040907/e53bc4db/attachment.html>


More information about the Snort-users mailing list