OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: [Snort-users] A simple question........

From: Jason (securitybrvenik.com)
Date: Tue Sep 14 2004 - 21:46:55 CDT

I believe you are noticing a difference of behavior introduces in 2.1.3

http://www.snort.org

search for Snort 2.1.3 Release Candidate 1 released

where it is noted that event queuing was added.

Dennis George wrote:

> Hi Is anybody there who can solve this simple problem...
>
> Dennis
>
> Dennis George <easyeinfoyahoo.com> wrote:Hi
>
> This is an extract from snort's FAQ (www.snort.org)
> ========================================================== alert tcp
> any any -> $HOME 80 (content: "foo"; msg: "foo";) alert tcp any any
> -> $HOME 1:1024 (flags: S; msg: "example";) alert tcp any any ->
> $HOME 80 (flags: S; msg: "Port 80 SYN!";) alert tcp any any -> $HOME
> 80 (content: "baz"; msg: "baz";)
>
> Note that all three of the port 80 rules will be checked before the
> "1:1024" rule due to the order in which the applicable RTN has been
> created. This is because the rules parser builds the first chain
> header for port 80 traffic and sticks it on the rules list, then on
> the next rule it sees that a new chain header is required, so it gets
> built and put in place. In this case you would intuitively expect to
> get the "example" message and never see the "Port 80 SYN! ", but the
> opposite is true.
> ==========================================================
>
> So this means that snort will not check further if any of the rule
> is matched..... Am I correct ????
>
> By the I am using snort 2.1.0 ..... And Is it possible in Snort 2.2.0
> ..... Is it the default action in Snort 2.2.0 or do we have to do
> some work to enable it ????
>
> Pedro Fortuna <pedro.fortunagmail.com> wrote:
>
> Hello,
>
> 1) In these cases, only the highest priority rule will generate an
> alert. 2) I dont know the answer for sure, but my guess is: - if the
> two rules are equal except for the SID, you'll get two alerts - if
> the two rules are completly equal (SID included), you'll get an error
> on snort start.
>
> -Pedro Fortuna
>
>
> Esler, Joel - Contractor" <joel.eslerrcert-s.army.mil> wrote:
> Depends on what version of Snort you are running. Apparently Snort
> 2.2.0 alerts off of multiple rules.
>
> Joel
>
>
> ----- Original Message ----- From: Dennis George Date: Mon, 13 Sep
> 2004 02:44:08 -0700 (PDT) Subject: [Snort-users] A simple
> question........ To: snort-userslists.sourceforge.net
>
>
> Hi all,
>
> I think it will be simple question............ But I am slighlty
> confused..........
>
> 1) If in my rule file I have 3 rules and in a packet all the 3 rules
> get satisfied... do I get all the three alerts ??
>
> 2) If I have two identical rules then does snort discard one of the
> rule or generate two alerts when that rule is satisfied ???
>
> thanks in advance
>
> Dennis
>
>
>
> --------------------------------- Do you Yahoo!? Yahoo! Mail - 50x
> more storage than other providers!
>
> --------------------------------- Do you Yahoo!? New and Improved
> Yahoo! Mail - 100MB free storage!

-------------------------------------------------------
This SF.Net email is sponsored by: thawte's Crypto Challenge Vl
Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam
Camcorder. More prizes in the weekly Lunch Hour Challenge.
Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users