Search Site

Search Rules

Account

email
password

not registered?

can't login?

user preferences

Changing Alert Order

The default way in which Snort applies its rules to packets may not be appropriate for all installations. The Alert rules are applied first, then the Pass rules, and finally, Log rules are applied. This sequence is somewhat counterintuitive, but it's a more foolproof method than allowing a user to write a hundred alert rules that are then disabled by an errant pass rule. For more information on rule types, see Section 3.2.1.

If you know what you're doing, you can use the -o switch to change the default rule application behavior to apply Pass rules, then Alert rules, then Log rules:

./snort -d -h 192.168.1.0/24 -l ./log -c snort.conf -o

As of Snort 2.6.0, the command line flags -alert-before-pass and -treat-drop-as-alert were added to handle changes to rule ordering and fix an issue when pass and drop rules were not always enforced. The -alert-before-pass option forces alert rules to take affect in favor of a pass rule. The -treat-drop-as-alert causes drop, sdrop, and reject rules and any associated alerts to be logged as alerts, rather then the normal action. This allows use of an inline policy with passive/IDS mode.

Additionally, the -process-all-events option causes Snort to process every event associated with a packet, while taking the actions based on the rules ordering. Without this option (default case), only the events for the first action based on rules ordering are processed.

Note:   Pass rules are special cases here, in that the event processing is terminated when a pass rule is encountered, regardless of the use of -process-all-events.

Note:   The additions with Snort 2.6.0 will result in the deprecation of the -o switch in a future release.

site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.