Snort mailing list archives
RE: Snort-users digest, Vol 1 #3204 - 10 msgs
From: "Ron Shuck" <rshuck () Buchanan com>
Date: Wed, 28 May 2003 09:48:14 -0500
Hi, I noticed this behavior as well. It occurs any time the order is changed in any way. I started noticing it with ICMP traffic triggering on the 'undefined code' instead of the ping or whatever. I have since found another rule that is not triggering. I have yet to find the problem. There was one other person that responded to one of my earlier posts that was seeing the same issue. I use the same order you described. I tried both with the -o and with the 'config' statement in the snort.conf. Both cause the same issue. Sorry, that doesn't help much, but at least there are others seeing the same thing. I haven't seen a post from Marty or Chris about this, I am just assuming that it is corrected or will be corrected in the CVS. I haven't had a chance to take a look. Ron Shuck, CISSP, GCIA, CCSE - Managing Consultant Buchanan Associates - A Technology Company in the People Business http://www.buchanan.com http://www.isc2.org http://www.giac.org -----Original Message----- Date: Mon, 26 May 2003 22:17:26 -0400 From: lpj0508 () netscape net To: snort-users () lists sourceforge net Subject: [Snort-users] strange behavior in rule processing? hi, i've been using snort 2.0 since it came out. i noticed 1 strange behavior though. my rule orders are set to pass->alert->log (using -o). when i need to disable a rule, i usually just copy and paste it in the pass rule with the pass directive, similar to below: [root@xxxxx rules]# grep "WEB-MISC http directory traversal" * pass.rules:pass tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC http directory traversal"; flags:A+; content: "../"; reference:arachnids,297; classtype:attempted-recon; sid:1113; rev:4;) pass.rules:pass tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC http directory traversal"; flow:to_server,established; content: "..\\";reference:arachnids,298; classtype:attempted-recon; sid:1112; rev:4;) web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC http directory traversal"; flow:to_server,established; content: "..\\";reference:arachnids,298; classtype:attempted-recon; sid:1112; rev:4;) web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC http directory traversal"; flow:to_server,established; content: "../"; reference:arachnids,297; classtype:attempted-recon; sid:1113; rev:4;) this has been working fine all along, and with such arrangement i do not get directory traversal alerts, but recently i've started to get the directory traversal alerts again, despite not having made any changes recently. anyone able to shed some light on this behavior? thanks lpj __________________________________________________________________ McAfee VirusScan Online from the Netscape Network. Comprehensive protection for your entire computer. Get your free trial today! http://channels.netscape.com/ns/computing/mcafee/index.jsp?promo=393397 Get AOL Instant Messenger 5.1 free of charge. Download Now! http://aim.aol.com/aimnew/Aim/register.adp?promo=380455 ------------------------------------------------------- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort-users digest, Vol 1 #3204 - 10 msgs Ron Shuck (May 28)