[Oisf-users] Only one alert where multiple rules should hit

Duane Howard duane.security at gmail.com
Mon Nov 17 19:26:40 UTC 2014

I have a pcap from a sample that I have a few similar rules for, they
effectively look for the same content, in slightly different ways (one
internal, one from VRT). When I run Snort over the pcap this particular
session, I get an alert for each signature in question. When using Suricata
I only get an alert from one of these rules. Does Suricata bail on rule
comparisons after a single alert occurs?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141117/f28b7de7/attachment.html>

More information about the Oisf-users mailing list