[Snort-users] Post Detection Rule

Russ rucombs at ...589...
Wed May 24 06:09:54 EDT 2017



On 5/23/17 8:10 PM, tantioification . wrote:
> No, i dont have.
> I just read snort manual and it give description about post-detection rule
> options that "These options are rule spesific triggers that happen after a
> rule has "fired""
> What is it the meaning?
"Fired" means the rule "matches".  More specifically that statement 
means that the rule body options (payload and non-payload) and the rule 
header checks (nets and ports) all match and an alert would be raised.  
Most of the post-detection options are really rule actions or logging 
features.  detection_filter is a little different though as it is 
actually the final match criteria that determines whether a rule will 
fire.  If it does fire it is appropriate to evaluate the other 
post-detection options.  You wouldn't want to do something like replace 
a content if the rule doesn't actually fire.
> On May 24, 2017 5:26 AM, "Joel Esler (jesler)" <jesler at ...589...> wrote:
>
>> Example being?
>>
>>
>> *--*
>> *Joel Esler *| *Talos:* Manager | jesler at ...589...
>>
>>
>>
>>
>>
>>
>> On May 23, 2017, at 5:47 AM, tantioification . <tantio86 at ...11827...> wrote:
>>
>> Hi,
>>
>> What is the meaning of "rule has fired" in post-detection rule options?
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>>
>>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list