snort rules header

ddaas · 12-04-2007, 07:17 AM

Hi there,
In the snort manual it is stated:

Code:

 As a precaution, keep in mind that Snort versions 1.x and 2.x apply rules in 
different ways. In Snort 1.x, if multiple rules match a given packet, only the first one is 
applied. After applying the first rule, no further action is taken on the packet. However in 
Snort version 2, all rules are applied before generating an alert message. The most severe
 alert message is then generated.

It snort2 applies all rules (not just the first that matches against a packet) what is the purpose of pass action. If I pass a packet, it will be caught by a second rule, right?

Please help me clarify this issue.

Thanks

unSpawn · 12-05-2007, 04:11 PM

As I read it it's just for generating alerts, not the final decision to pass. Of course I may be wrong. In any case your question should be answered real quickly on the snort-users list. If you get an explanation there I'd appreciate it if you post the details here.

ddaas · 12-06-2007, 02:13 AM

Hi,
Thanks for your answer.
If I find a detailed answer I'll post it here