Rule order?

["Toby Rodwell" <trodwell () iee org>]

I think I might be missing something basic here.  I'm getting to grips with
Snort, trying out some really simple configs.  I'm use to rules being run in
the sequence they appear, so I my snort.conf is currently this:-

var OUTSIDE_IF $eth0_ADDRESS
config dump_payload
config logdir: /var/snort/log
log tcp any any -> $OUTSIDE_IF any (flags: A; ack: 0; msg: "NMAP TCP ping";)
log icmp any any -> any any (logto:"icmp.log";)
log tcp any any -> $OUTSIDE_IF any (flags: S; msg: "Possible unsolicited
SYN";)
log tcp any any <> $OUTSIDE_IF any (logto:"normal.log";)
log udp any any -> any any

but then the following appeared in my 'normal.log' - addresses changed to
protect the innocent :-)

12/17-13:04:32.225415 [IP-address]:50712 -> [OUTSIDE_IF]:22
TCP TTL:52 TOS:0x0 ID:57971 IpLen:20 DgmLen:48 DF
******S* Seq: 0x62D60A62  Ack: 0x0  Win: 0xC1E8  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

... which by my reckoning should have set matched rule number 3 before rule
number 4.

Any ideas?
Thanks in advance
Toby
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.551 / Virus Database: 343 - Release Date: 11/12/2003



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users