Order of Rules Based upon Action

119

include $RULE_PATH/scan.rules

include $RULE_PATH/finger.rules

include $RULE_PATH/ftp.rules

include $RULE_PATH/telnet.rules

include $RULE_PATH/smtp.rules

include $RULE_PATH/rpc.rules

include $RULE_PATH/dos.rules

include $RULE_PATH/ddos.rules

include $RULE_PATH/dns.rules

include $RULE_PATH/tftp.rules

include $RULE_PATH/web cgi.rules

include $RULE_PATH/web coldfusion.rules

include $RULE_PATH/web iis.rules

include $RULE_PATH/web frontpage.rules

include $RULE_PATH/web misc.rules

include $RULE_PATH/web attacks.rules

include $RULE_PATH/sql.rules

include $RULE_PATH/x11.rules

include $RULE_PATH/icmp.rules

include $RULE_PATH/netbios.rules

include $RULE_PATH/misc.rules

include $RULE_PATH/attack responses.rules

include $RULE_PATH/myrules.rules

3.8 Order of Rules Based upon Action

The five types of the rules can be categorized into three basic types.

1. Alert rules

2. Pass rules

3. Log rules

When a packet is received by Snort, it is checked in this order.  Each packet has to

go through all Alert rule checks before it is allowed to pass. This scheme is the most

secure since no packet passes through without being checked against all alert types.

However most of the packets are normal traffic and do not show any intruder activity.

Testing all of the packets against all alert rules requires a lot of processing power. Snort

provides a way to change this testing order to one which is more efficient, but more

dangerous.

1. Pass rules

2. Alert rules

3. Log rules