[Snort-users] Post Detection Rule

tantioification . tantio86 at ...11827...
Wed May 24 12:16:48 EDT 2017


Thank you Russ for your explain,,it is very help me to learn..

On May 24, 2017 5:09 PM, "Russ" <rucombs at ...589...> wrote:

>
>
> On 5/23/17 8:10 PM, tantioification . wrote:
>
>> No, i dont have.
>> I just read snort manual and it give description about post-detection rule
>> options that "These options are rule spesific triggers that happen after a
>> rule has "fired""
>> What is it the meaning?
>>
> "Fired" means the rule "matches".  More specifically that statement means
> that the rule body options (payload and non-payload) and the rule header
> checks (nets and ports) all match and an alert would be raised.  Most of
> the post-detection options are really rule actions or logging features.
> detection_filter is a little different though as it is actually the final
> match criteria that determines whether a rule will fire.  If it does fire
> it is appropriate to evaluate the other post-detection options.  You
> wouldn't want to do something like replace a content if the rule doesn't
> actually fire.
>
>> On May 24, 2017 5:26 AM, "Joel Esler (jesler)" <jesler at ...589...> wrote:
>>
>> Example being?
>>>
>>>
>>> *--*
>>> *Joel Esler *| *Talos:* Manager | jesler at ...589...
>>>
>>>
>>>
>>>
>>>
>>>
>>> On May 23, 2017, at 5:47 AM, tantioification . <tantio86 at ...11827...>
>>> wrote:
>>>
>>> Hi,
>>>
>>> What is the meaning of "rule has fired" in post-detection rule options?
>>> ------------------------------------------------------------
>>> ------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>>
>>>
>>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>



More information about the Snort-users mailing list