Snort rules order.

["larosa, vjay" <larosa_vjay () emc com>]

Hello,

I am running snort v 1.9.0 build 209 and I am having a problem with the
ordering of some rules.
I was under the assumption that this didn't matter anymore with snort 1.9.0.
I have two rules,


(trap-db is a custom ruletype I defined. Instead of using alert I use
trap-db to send snmp traps for some events).

trap-db udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP GET Admin.dll";
content
: "|0001|"; offset:0; depth:2; content:"admin.dll"; nocase;
classtype:successful-admin; refe
rence:url,www.cert.org/advisories/CA-2001-26.html; sid:1289; rev:2;)

and 

alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Get"; content:"|00
01|"; offset:0; de
pth:2; classtype:bad-unknown; sid:1444; rev:2;)

For some reason the second rule gets triggered when I try a tftp session and
do a get admin.dll,
but if I say get passwd the correct passwd rule triggers. 

alert udp any any -> any 69 (msg:"TFTP GET passwd"; content: "|0001|";
offset:0; depth:2; co
ntent:"passwd"; nocase; classtype:successful-admin; sid:1443; rev:1;)


Anybody have any clue what might be wrong? Thanks!

vjl


V.Jay LaRosa                           EMC Corporation
Information Security                  171 South Street
(508)249-3355 office                  Hopkinton, MA 01748
(508)498-5575 cell                     www.emc.com
(888-799-9750 pager                  larosa_vjay () emc com
(508)497-8082 fax



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users