Next: Packet Acquisition
Up: Network Intrusion Detection System
Previous: High Performance Configuration
Contents
The default way in which Snort applies its rules to packets may not be
appropriate for all installations. The Pass rules are applied first, then the
Drop rules, then the Alert rules and finally, Log rules are applied.
|
Note:
Sometimes an errant pass rule could cause alerts to not show up, in
which case you can change the default ordering to allow Alert rules
to be applied before Pass rules. For more information, please refer
to the -alert-before-pass option.
|
Several command line options are available to change the order in
which rule actions are taken.
- -alert-before-pass option forces alert rules to take
affect in favor of a pass rule.
- -treat-drop-as-alert causes drop and reject rules and
any associated alerts to be logged as alerts, rather then the normal
action. This allows use of an inline policy with passive/IDS mode.
The sdrop rules are not loaded.
- -process-all-events option causes Snort to process
every event associated with a packet, while taking the actions based
on the rules ordering. Without this option (default case), only the
events for the first action based on rules ordering are processed.
|
Note:
Pass rules are special cases here, in that the event processing is terminated
when a pass rule is encountered, regardless of the use of
-process-all-events.
|
Next: Packet Acquisition
Up: Network Intrusion Detection System
Previous: High Performance Configuration
Contents
Eugene Misnik
2013-05-08