Snort3: binder and wizard inspectors

[Meridoff via Snort-users <snort-users () lists snort org>]

Hello, it's very brief info in manual about using wizard and binder.

I have some questions concerning the most common use of them.

1. Binder and wizard has "first match wins" logic in their config ?

2. In binder we have "when" table - the match logic and "use" table - what
to do  if match occure. Are the keys in when{}  have AND logic? (e.g.:
when.ports and when.nets etc.. must match togather if specified)

3. In binder use.type - is the inspector to use for match case. But what
means when.service and use.service?
As far as I understand:
 3.1 we can define own 'service' in binder by    { when {port=123 }, use {
service = "myserv" }  }
 3.2 we can define own 'service' in wizard by spell/hexes tables
 3.3 if we have 'service' then we can use it in binder.use logic

4. What meaning of binder[].use.name ? Where its value can be used?

5.So binder{} is evaluated 1st to identify service and 2nd to identify what
inspector to use for this service or what action to do (reset|block...).

6. Wizard usually goes last in binder{} so it is used to identify service
that was failed to identify by bindings in binder ? And if we can identify
serivce in wizard than we look into binder 2n time to decide what to do
with it - what inspector or action to use and so on..

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette