|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Snort-users] ruleset priority
From: Brian D. Hamm (brian.hamm
extensys.biz)
Date: Sat Apr 10 2004 - 22:27:42 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Why does the less specific rule continue to fire over the rule with a
specific destination IP address set? I have tried switching the order,
moving the 8.8.8.8 rule to local.rules, and even tried adding a /32 but
the more generic any any -> any 69 continues to fire. The only way I
cat get the 8.8.8.8 rule to fire is to change the more generic rule to
any any -> any 70. It does fire then so I know the rule is valid.
alert udp any any -> 8.8.8.8 69 (msg:"TFTP 8888 GET"; content:"|00 01|";
offset:0; depth:2; classtype:not-suspicious; sid:1444; rev:2;)
alert udp any any -> any 69 (msg:"TFTP Z Get"; content:"|00 01|";
offset:0; depth:2; classtype:bad-unknown; sid:1444; rev:2;)
I read the README.
Thanks,
Brian
-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- application/x-pkcs7-signature attachment: smime.p7s
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]