3.8 Order of Rules Based upon Action
The five types of the rules can be categorized into three basic types.
-
Alert rules
-
Pass rules
-
Log rules
When a packet is received by Snort, it is checked in this order. Each packet has to go through all Alert rule checks before it is allowed to pass. This scheme is the most secure since no packet passes through without being checked against all alert types. However most of the packets are normal traffic and do not show any intruder activity. Testing all of the packets against all alert rules requires a lot of processing power. Snort provides a way to change this testing order to one which is more efficient, but more dangerous.
-
Pass rules
-
Alert rules
-
Log rules
You must be careful when choosing this order because just one badly written pass rule may allow many alert packets to pass through without being checked. If you really know what you are doing, you can use the –o command line switch to disable the default order and enable the new order of applying rules. You can also use “config order” in the configuration file for this purpose. Again, this is dangerous and you have been warned twice now! If you are sure of what you are doing, add this line in the snort.conf file:
config order
If you define your own rule types, they are checked last in the sequence. For example, if you have defined a rule type snmp_alerts, the order of rule application will be:
Alert -> Pass -> Log ->snmp_alerts