Snort mailing list archives
Re: Differences Between Versions
From: Martin Olsson <elof () sentor se>
Date: Fri, 16 Jan 2004 10:10:47 +0100 (CET)
On Fri, 16 Jan 2004, Michael Thompson wrote:
On one box I have snort 2.00 and on another I have Snort 2.1.0 My question is that the Snort 2.00 appears to miss certain events, while snort 2.1 picks them up. Does any one know if there are any know logging problems with the 2.0 version?
Yes, there was a bug in the wu-manber (mwm) pattern matcher in snort 2.0.x. When I changed the search-method to ac, the snort started alerting on rules that had been quiet using the mwm method. Two of the rules that didn't work with mwm was: sid:1561 WEB-MISC ?open access sid:1117 WEB-MISC Lotus EditDoc Both of these rules use the uricontent with a leading questionmark. uricontent:"?open"; uricontent:"?EditDocument"; This bug in mwm should have been fixed in snort 2.1.0. /Martin ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Differences Between Versions Michael Thompson (Jan 15)
- Re: Differences Between Versions Martin Olsson (Jan 16)