[Snort-users] A simple question........

Martin Roesch roesch at ...1935...
Thu Sep 16 20:47:28 EDT 2004


The FAQ needs to be updated....

      -Marty

On Sep 14, 2004, at 10:46 PM, Jason wrote:

> I believe you are noticing a difference of behavior introduces in 2.1.3
>
> http://www.snort.org
>
> search for Snort 2.1.3 Release Candidate 1 released
>
> where it is noted that event queuing was added.
>
> Dennis George wrote:
>
>> Hi Is anybody there who can solve this simple problem...
>> Dennis
>> Dennis George <easyeinfo at ...131...> wrote:Hi
>> This is an extract from snort's FAQ (www.snort.org) 
>> ========================================================== alert tcp
>> any any -> $HOME 80 (content: "foo"; msg: "foo";) alert tcp any any
>> -> $HOME 1:1024 (flags: S; msg: "example";) alert tcp any any ->
>> $HOME 80 (flags: S; msg: "Port 80 SYN!";) alert tcp any any -> $HOME
>> 80 (content: "baz"; msg: "baz";)
>> Note that all three of the port 80 rules will be checked before the
>> "1:1024" rule due to the order in which the applicable RTN has been
>> created. This is because the rules parser builds the first chain
>> header for port 80 traffic and sticks it on the rules list, then on
>> the next rule it sees that a new chain header is required, so it gets
>> built and put in place. In this case you would intuitively expect to
>> get the "example" message and never see the "Port 80 SYN! ", but the
>> opposite is true. 
>> ==========================================================
>> So this means that snort will not check further  if any of the rule
>> is matched..... Am I correct ????
>> By the I am using snort 2.1.0 ..... And Is it possible in Snort 2.2.0
>> ..... Is it the default action in Snort 2.2.0 or do we have to do
>> some work to enable it ????
>> Pedro Fortuna <pedro.fortuna at ...11827...> wrote:
>> Hello,
>> 1) In these cases, only the highest priority rule will generate an
>> alert. 2) I dont know the answer for sure, but my guess is: - if the
>> two rules are equal except for the SID, you'll get two alerts - if
>> the two rules are completly equal (SID included), you'll get an error
>> on snort start.
>> -Pedro Fortuna
>> Esler, Joel - Contractor" <joel.esler at ...9426...> wrote: 
>> Depends on what version of Snort you are running.  Apparently Snort
>> 2.2.0 alerts off of multiple rules.
>> Joel
>> ----- Original Message ----- From: Dennis George Date: Mon, 13 Sep
>> 2004 02:44:08 -0700 (PDT) Subject: [Snort-users] A simple
>> question........ To: snort-users at lists.sourceforge.net
>> Hi all,
>> I think it will be simple question............ But I am slighlty 
>> confused..........
>> 1) If in my rule file I have 3 rules and in a packet all the 3 rules 
>> get satisfied... do I get all the three alerts ??
>> 2) If I have two identical rules then does snort discard one of the 
>> rule or generate two alerts when that rule is satisfied ???
>> thanks in advance
>> Dennis
>> --------------------------------- Do you Yahoo!? Yahoo! Mail - 50x
>> more storage than other providers!
>>  --------------------------------- Do you Yahoo!? New and Improved
>> Yahoo! Mail - 100MB free storage!
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: thawte's Crypto Challenge Vl
> Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam
> Camcorder. More prizes in the weekly Lunch Hour Challenge.
> Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover.  Determine.  Defend.
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-users mailing list