[Snort-users] Order of rules

Dave Corsello snort-users at ...15598...
Fri May 2 14:43:41 EDT 2014


Thanks, Joel.

On 5/2/2014 10:36 AM, Joel Esler (jesler) wrote:
> Rule processing does not end after the first hit.
>
> The first hit could be an alert and a pass would take precedence w/ no
> command line/snort.conf options to change that.
>
> Rule order in the config file does not matter, rule evaluation is not 
> linear.
>
> They will be processed in the order in which the fast-pattern matches are
> found in the payload.  The first pattern to occur, rules w/ that pattern
> will be evaluated first and so on.  And the rules within that matching end
> state are evaluated in a tree of options. How options are added into the
> tree is not deterministic from one run to another.
>
> J
>
> On May 1, 2014, at 3:31 PM, Dave Corsello 
> <snort-users at ...15598... 
> <mailto:snort-users at ...15598...>> wrote:
>
>> I looked pretty hard for this information and couldn't find it, so maybe
>> this will be useful to someone:  it looks like rules with the same
>> priority and similar action are processed in sid order.
>>
>> On 4/29/2014 5:35 PM, Dave Corsello wrote:
>>> Let me narrow that down.  Assume that no command line options or
>>> snort.conf options are used to change the order in which rule actions
>>> are taken, and that rule processing ends after the first hit.
>>> Basically, I want to know if changing the physical order of two drop
>>> rules with the same priority in my local.rules file makes a difference,
>>> or if there's some other default sort order that takes precedence.
>>>
>>>
>>> On 4/29/2014 9:07 AM, Dave Corsello wrote:
>>>> Here's a very basic question:  In what order are snort rules processed:
>>>> the order in which they are listed in a rules file, or in gid/sid 
>>>> order?
>>>>
>>>> ------------------------------------------------------------------------------
>>>> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>>>> Instantly run your Selenium tests across 300+ browser/OS combos.  Get
>>>> unparalleled scalability from the best Selenium testing platform 
>>>> available.
>>>> Simple to use. Nothing to install. Get started now for free."
>>>> http://p.sf.net/sfu/SauceLabs
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the 
>>>> latest Snort news!
>>>
>>> ------------------------------------------------------------------------------
>>> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>>> Instantly run your Selenium tests across 300+ browser/OS combos.  Get
>>> unparalleled scalability from the best Selenium testing platform 
>>> available.
>>> Simple to use. Nothing to install. Get started now for free."
>>> http://p.sf.net/sfu/SauceLabs
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest 
>>> Snort news!
>>
>>
>> ------------------------------------------------------------------------------
>> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>> Instantly run your Selenium tests across 300+ browser/OS combos.  Get
>> unparalleled scalability from the best Selenium testing platform 
>> available.
>> Simple to use. Nothing to install. Get started now for free."
>> http://p.sf.net/sfu/SauceLabs
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest 
>> Snort news!
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140502/f92250bc/attachment.html>


More information about the Snort-users mailing list