[Snort-users] Order of rules

Dave Corsello snort-users at ...15598...
Thu May 1 15:31:56 EDT 2014


I looked pretty hard for this information and couldn't find it, so maybe 
this will be useful to someone:  it looks like rules with the same 
priority and similar action are processed in sid order.

On 4/29/2014 5:35 PM, Dave Corsello wrote:
> Let me narrow that down.  Assume that no command line options or
> snort.conf options are used to change the order in which rule actions
> are taken, and that rule processing ends after the first hit.
> Basically, I want to know if changing the physical order of two drop
> rules with the same priority in my local.rules file makes a difference,
> or if there's some other default sort order that takes precedence.
>
>
> On 4/29/2014 9:07 AM, Dave Corsello wrote:
>> Here's a very basic question:  In what order are snort rules processed:
>> the order in which they are listed in a rules file, or in gid/sid order?
>>
>> ------------------------------------------------------------------------------
>> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>> Instantly run your Selenium tests across 300+ browser/OS combos.  Get
>> unparalleled scalability from the best Selenium testing platform available.
>> Simple to use. Nothing to install. Get started now for free."
>> http://p.sf.net/sfu/SauceLabs
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.  Get
> unparalleled scalability from the best Selenium testing platform available.
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list