[Snort-users] snort rule firing order
Kretzer, Jason R (Big Sandy)
jason.kretzer at ...13486...
Tue Sep 13 07:31:08 EDT 2005
I have a custom rule that I would like to fire instead of a pre-built
rule. Here is my rule
jason at ...13490...:~$ cat /etc/snort/rules/jason.rules
alert ip any any -> !188.8.131.52 any (msg:"BAD-TRAFFIC IP Proto 103 PIM";
ip_proto:103; reference:bugtraq,8211; reference:cve,2003-0567;
classtype:non-standard-protocol; sid:1002189; rev:1;)
It is exactly the same as rule 2189 in
/etc/snort/rules/bad-traffic.rules EXCEPT the destination IP, sid, and
I thought my rule would take precedence because it is more "specific"
than the given rule. I would comment it out but oinkmaster which I use
to update my rules automatically just replaces it.
Is there something I am doing wrong?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users