Hi,

As far as I know (and have observed), Snort will only trigger the first
matching rule. This, of course, does not hold true if the rules are not of
the same type, the priority order being (from highest to lowest) activate,
dynamic, alert, pass and log.

Hope that helps,

Olivier Grumelard.

At 13:27 25/06/01 -0400, Sheahan, Paul (PCLN-NW) wrote:

>I am writing some of my own rules on my new Snort server and have a
>question:
>
>If incoming traffic matches two rules, will BOTH rules trigger an alert, or
>just one? For example, there is a rule that checks for "cmd.exe" execution
>on NT servers. I also created a rule that searches for the contents
>"winnt/system32" to see if anyone was capable of bringing up a directory on
>one of my servers. Well, an attack appeared in my logs recently that
>contained "winnt/system32/cmd.exe", but only the "cmd.exe" rule was
>triggered, and not my custom rule. I'm wondering if Snort is supposed to
>trigger both, or just one of the rules?

_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]