Hi there,
In the snort manual it is stated:
Code:
As a precaution, keep in mind that Snort versions 1.x and 2.x apply rules in
different ways. In Snort 1.x, if multiple rules match a given packet, only the first one is
applied. After applying the first rule, no further action is taken on the packet. However in
Snort version 2, all rules are applied before generating an alert message. The most severe
alert message is then generated.
It snort2 applies all rules (not just the first that matches against a packet) what is the purpose of pass action. If I pass a packet, it will be caught by a second rule, right?
Please help me clarify this issue.
Thanks