|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Snort-users] A simple question........
From: Martin Roesch (roesch
sourcefire.com)
Date: Thu Sep 16 2004 - 22:40:36 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
The FAQ needs to be updated....
-Marty
On Sep 14, 2004, at 10:46 PM, Jason wrote:
> I believe you are noticing a difference of behavior introduces in 2.1.3
>
> http://www.snort.org
>
> search for Snort 2.1.3 Release Candidate 1 released
>
> where it is noted that event queuing was added.
>
> Dennis George wrote:
>
>> Hi Is anybody there who can solve this simple problem...
>> Dennis
>> Dennis George <easyeinfoyahoo.com> wrote:Hi
>> This is an extract from snort's FAQ (www.snort.org)
>> ========================================================== alert tcp
>> any any -> $HOME 80 (content: "foo"; msg: "foo";) alert tcp any any
>> -> $HOME 1:1024 (flags: S; msg: "example";) alert tcp any any ->
>> $HOME 80 (flags: S; msg: "Port 80 SYN!";) alert tcp any any -> $HOME
>> 80 (content: "baz"; msg: "baz";)
>> Note that all three of the port 80 rules will be checked before the
>> "1:1024" rule due to the order in which the applicable RTN has been
>> created. This is because the rules parser builds the first chain
>> header for port 80 traffic and sticks it on the rules list, then on
>> the next rule it sees that a new chain header is required, so it gets
>> built and put in place. In this case you would intuitively expect to
>> get the "example" message and never see the "Port 80 SYN! ", but the
>> opposite is true.
>> ==========================================================
>> So this means that snort will not check further if any of the rule
>> is matched..... Am I correct ????
>> By the I am using snort 2.1.0 ..... And Is it possible in Snort 2.2.0
>> ..... Is it the default action in Snort 2.2.0 or do we have to do
>> some work to enable it ????
>> Pedro Fortuna <pedro.fortunagmail.com> wrote:
>> Hello,
>> 1) In these cases, only the highest priority rule will generate an
>> alert. 2) I dont know the answer for sure, but my guess is: - if the
>> two rules are equal except for the SID, you'll get two alerts - if
>> the two rules are completly equal (SID included), you'll get an error
>> on snort start.
>> -Pedro Fortuna
>> Esler, Joel - Contractor" <joel.eslerrcert-s.army.mil> wrote:
>> Depends on what version of Snort you are running. Apparently Snort
>> 2.2.0 alerts off of multiple rules.
>> Joel
>> ----- Original Message ----- From: Dennis George Date: Mon, 13 Sep
>> 2004 02:44:08 -0700 (PDT) Subject: [Snort-users] A simple
>> question........ To: snort-userslists.sourceforge.net
>> Hi all,
>> I think it will be simple question............ But I am slighlty
>> confused..........
>> 1) If in my rule file I have 3 rules and in a packet all the 3 rules
>> get satisfied... do I get all the three alerts ??
>> 2) If I have two identical rules then does snort discard one of the
>> rule or generate two alerts when that rule is satisfied ???
>> thanks in advance
>> Dennis
>> --------------------------------- Do you Yahoo!? Yahoo! Mail - 50x
>> more storage than other providers!
>> --------------------------------- Do you Yahoo!? New and Improved
>> Yahoo! Mail - 100MB free storage!
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: thawte's Crypto Challenge Vl
> Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam
> Camcorder. More prizes in the weekly Lunch Hour Challenge.
> Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
--
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover. Determine. Defend.
roeschsourcefire.com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]