Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Repeating question re: problems with director operators.

From: John Sage <jsage () finchhaven com>
Date: Tue, 5 Mar 2002 18:46:50 -0800
On Tue, Mar 05, 2002 at 05:41:59PM +0100, Jesus Couto wrote:

No, the lines are not split in the configuration, cause if they were I 
wouldnt get snort recording anything. Its an artifact of cutting & 
pasting them to the email client.


OK: I thought that, but you get to a point where any answer...



And the problem is not replacing 2 rules in different directions with 
one with <>; the problem is writing a new rule and thinking you are 
"safe" (not getting attacked) when in fact one of the previous rules is 
making the new one not work, because of this. The second rule doenst 
have to be exactly the same as the first; you may be checking for 
another kind of packet, but that rule will never be triggered as long as 
there  is another first with the same networks and ports and different 
direction.


When I grep for '<-' in *.rules and examine some of the results, in no
case do I find two rules where the left side is identical to the right
side (i.e. the only difference between two rules is the direction of the
directional arrow.)

This suggests something to me...


Adding to that the fact that the content  option doesnt work with <- 
rules, which renders some rules of the distribution worthless (example: 
sid 717), the fact is that the <- operator is seriously broken (well, it 
was never mentioned in the manual to begin with, but snort doesnt croak 
when it see its and it "works" sometimes), and all rules should be 
writen with ->.


Here's the best thought: why can't you re-write your rules so the
directional is uni-directional only, and just go on with your work...

It may be true that what you're trying to do doesn't work; personally,
I'd find a different way to do it.


- John
-- 
Most people don't type their own logfiles;  but, what do I care?


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: