[Snort-users] snort rule firing order

This is a multi-part message in MIME format.

------_=_NextPart_001_01C5B86F.E9958B73
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

Hello all,
=20
I have a custom rule that I would like to fire instead of a pre-built
rule. Here is my rule
=20
jason@bgswebtest:~$ cat /etc/snort/rules/jason.rules
alert ip any any -> !224.0.0.13 any (msg:"BAD-TRAFFIC IP Proto 103 PIM";
ip_proto:103; reference:bugtraq,8211; reference:cve,2003-0567;
classtype:non-standard-protocol; sid:1002189; rev:1;)

It is exactly the same as rule 2189 in
/etc/snort/rules/bad-traffic.rules EXCEPT the destination IP, sid, and
rev.
=20
I thought my rule would take precedence because it is more "specific"
than the given rule. I would comment it out but oinkmaster which I use
to update my rules automatically just replaces it.
=20
Is there something I am doing wrong?
=20
-Jason
=20
=20

------_=_NextPart_001_01C5B86F.E9958B73
Content-Type: text/html;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2900.2668" name=3DGENERATOR></HEAD>
<BODY>
<DIV><SPAN class=3D600122514-13092005><FONT face=3DArial size=3D2>Hello=20
all,</FONT></SPAN></DIV>
<DIV><SPAN class=3D600122514-13092005><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D600122514-13092005><FONT face=3DArial size=3D2>I have =
a custom rule=20
that I would like to fire instead of a pre-built rule.&nbsp; Here is my=20
rule</FONT></SPAN></DIV>
<DIV><SPAN class=3D600122514-13092005><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D600122514-13092005><FONT face=3DArial size=3D2><A=20
href=3D"mailto:jason@bgswebtest:~$">jason@bgswebte st:~$</A> cat=20
/etc/snort/rules/jason.rules<BR>alert ip any any -&gt; !224.0.0.13 any=20
(msg:"BAD-TRAFFIC IP Proto 103 PIM"; ip_proto:103; =
reference:bugtraq,8211;=20
reference:cve,2003-0567; classtype:non-standard-protocol; sid:1002189;=20
rev:1;)<BR></FONT></SPAN></DIV>
<DIV><SPAN class=3D600122514-13092005><FONT face=3DArial size=3D2>It is =
exactly the=20
same as rule 2189 in /etc/snort/rules/bad-traffic.rules EXCEPT the =
destination=20
IP, sid, and rev.</FONT></SPAN></DIV>
<DIV><SPAN class=3D600122514-13092005><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D600122514-13092005><FONT face=3DArial size=3D2>I =
thought my rule=20
would take precedence because it is more "specific" than the given =
rule.&nbsp; I=20
would comment it out but oinkmaster which I use to update my rules =
automatically=20
just replaces it.</FONT></SPAN></DIV>
<DIV><SPAN class=3D600122514-13092005><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D600122514-13092005><FONT face=3DArial size=3D2>Is =
there something I=20
am doing wrong?</FONT></SPAN></DIV>
<DIV><SPAN class=3D600122514-13092005><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D600122514-13092005><FONT face=3DArial=20
size=3D2>-Jason</FONT></SPAN></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV></BODY></HTML>

------_=_NextPart_001_01C5B86F.E9958B73--


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users