[Oisf-users] Only one alert where multiple rules should hit
Victor Julien
lists at inliniac.net
Mon Nov 17 23:09:58 UTC 2014
On 11/17/2014 08:26 PM, Duane Howard wrote:
> I have a pcap from a sample that I have a few similar rules for, they
> effectively look for the same content, in slightly different ways (one
> internal, one from VRT). When I run Snort over the pcap this particular
> session, I get an alert for each signature in question. When using
> Suricata I only get an alert from one of these rules. Does Suricata bail
> on rule comparisons after a single alert occurs?
No. There must be another reason the other rules don't match. What
happens if you run the rules individually?
The only thing that could cause us to stop inspecting rules prematurely
is when a 'pass' rule matches.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list