Problem in snort 1.3

[pa2347 () panservice it (Fabio Pietrosanti)]

Hi, i think there's a problem in  the new NISD called snort,
It read, and apply rules in order but if one match, other
are not considered. Look at this example...
i put this two rules in order in my ruleset-file

alert tcp 127.0.0.1/32 any -> 192.168.1.0/24 any (msg:"Attempt to Connect
via Fake Localhost;)
alert tcp any any -> 192.168.1.0/24 any (flags: A; ack: 0; msg:"NMAP TCP
ping";)

I send two packets (tcpdump it's yet the best) :
13:01:36.428180 127.0.0.1.2525 > 192.168.1.1.23: . ack 0 win 512
13:01:47.152670 10.1.1.1.4762 > 192.168.1.1.23: . ack 0 win 512

now, see what's appened:
1) for the first packet, i SHOULD get two alert,
- a forged packet with src 127.0.0.1  (Attempt to Connect via Fake
Localhost)
- the advice of an nmap tcp ping.     (NMAP TCP ping!)
but i receive in my log only one !
Oct 24 13:01:36 NaiF syslog: Attempt to Connect via Fake Localhost:
127.0.0.1:2525 -> 192.168.1.1:23
and where's the signature of ack seq = 0 ?

2) next packet, should give me only one alert, and it' so
Oct 24 13:01:47 NaiF syslog: NMAP TCP ping!: 10.1.1.1:4762 ->
192.168.1.1:23

I can't check where's the code problem, cause i'm not yet an experience C
programmer:(
Sorry for my bad english..

Fabio Pietrosanti                                       
E-mail: pa2347 () panservice it
Irc: Irc: NaiF@ircnet

Windows 95:  A 32-bit patch for a 16-bit GUI shell running on top of an
             8-bit operating system written for a 4-bit processor by a
             2-bit company who cannot stand 1 bit of competition.
        
                            Save the World...Use Linux .