[Snort-users] How to turn on first-match-out criteria

Pablo Artuso artusopablo at ...11827...
Wed May 28 07:30:33 EDT 2014

Hi there,

I was doing some more testing on this requirement I have, but unfortunately
I didn't arrive to anything useful.

I have read this post http://seclists.org/snort/2014/q2/546 where Joel
Esler answers a SNORT user that the order in which the rules are applied
doesn't have anything to do about SID's numbers, but it will depend on the
order in which the fast-pattern matches are found in the payload.

I'd like to understand this better, because right now I have no idea on how
to continue... in fact, I'm having two questions:

1) Is there a way to force the order in which SNORT evaluates the rules?
2) Once a rule is matched, and this rule generates an alert, is it possible
to STOP evaluating the rest of the rules?

I've been checking different keywords named in the SNORT manual and some
forums, such us: pass, noalert, flowbits, dynamic rules, activate, etc. But
none of them helped me (or at least I didn't know how to combine them
properly) to get what I need.

I think this could clarify even more my needing: Let's suppose there are
two rules (Rule A and Rule B) where both check if "Y" is present on the
packet, but rule B also check if "X" is present in the packet.
So, if I receive a packet containing "X" and "Y", I want to receive ONLY
the alert of rule B, and not the one coming from rule A.

Does anybody know how to do this? Maybe combining some other keywords?

Thanks in advance,

2014-05-05 12:55 GMT-03:00 Pablo Artuso <artusopablo at ...11827...>:

> Hi, I'm using Snort 2.9 . I have been searching this for hours and didn't
> found the answer (even in the archives of this list). I read that, in
> previous versions, it was the default configuration.
> How can I configure my Snort in order to accomplish both thing :
>          - Alert when a rule match.
>          - Finish. I mean, stop matching other rules.
> Thank you!
> Kind regards,
> Pablo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140528/c611b3b6/attachment.html>

More information about the Snort-users mailing list