[Snort-users] A simple question........

Jason security at ...5028...
Tue Sep 14 19:48:02 EDT 2004


I believe you are noticing a difference of behavior introduces in 2.1.3

http://www.snort.org

search for Snort 2.1.3 Release Candidate 1 released

where it is noted that event queuing was added.

Dennis George wrote:

> Hi Is anybody there who can solve this simple problem...
> 
> Dennis
> 
> Dennis George <easyeinfo at ...131...> wrote:Hi
> 
> This is an extract from snort's FAQ (www.snort.org) 
> ========================================================== alert tcp
> any any -> $HOME 80 (content: "foo"; msg: "foo";) alert tcp any any
> -> $HOME 1:1024 (flags: S; msg: "example";) alert tcp any any ->
> $HOME 80 (flags: S; msg: "Port 80 SYN!";) alert tcp any any -> $HOME
> 80 (content: "baz"; msg: "baz";)
> 
> Note that all three of the port 80 rules will be checked before the
> "1:1024" rule due to the order in which the applicable RTN has been
> created. This is because the rules parser builds the first chain
> header for port 80 traffic and sticks it on the rules list, then on
> the next rule it sees that a new chain header is required, so it gets
> built and put in place. In this case you would intuitively expect to
> get the "example" message and never see the "Port 80 SYN! ", but the
> opposite is true. 
> ==========================================================
> 
> So this means that snort will not check further  if any of the rule
> is matched..... Am I correct ????
> 
> By the I am using snort 2.1.0 ..... And Is it possible in Snort 2.2.0
> ..... Is it the default action in Snort 2.2.0 or do we have to do
> some work to enable it ????
> 
> Pedro Fortuna <pedro.fortuna at ...11827...> wrote:
> 
> Hello,
> 
> 1) In these cases, only the highest priority rule will generate an
> alert. 2) I dont know the answer for sure, but my guess is: - if the
> two rules are equal except for the SID, you'll get two alerts - if
> the two rules are completly equal (SID included), you'll get an error
> on snort start.
> 
> -Pedro Fortuna
> 
> 
> Esler, Joel - Contractor" <joel.esler at ...9426...> wrote: 
> Depends on what version of Snort you are running.  Apparently Snort
> 2.2.0 alerts off of multiple rules.
> 
> Joel
> 
> 
> ----- Original Message ----- From: Dennis George Date: Mon, 13 Sep
> 2004 02:44:08 -0700 (PDT) Subject: [Snort-users] A simple
> question........ To: snort-users at lists.sourceforge.net
> 
> 
> Hi all,
> 
> I think it will be simple question............ But I am slighlty 
> confused..........
> 
> 1) If in my rule file I have 3 rules and in a packet all the 3 rules 
> get satisfied... do I get all the three alerts ??
> 
> 2) If I have two identical rules then does snort discard one of the 
> rule or generate two alerts when that rule is satisfied ???
> 
> thanks in advance
> 
> Dennis
> 
> 
> 
> --------------------------------- Do you Yahoo!? Yahoo! Mail - 50x
> more storage than other providers!
> 
>  --------------------------------- Do you Yahoo!? New and Improved
> Yahoo! Mail - 100MB free storage!





More information about the Snort-users mailing list