Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Fwd: Inconsistencies with ruletype definition in >= Snort 2.8.5.3

From: Yun Zheng Hu <yunzheng.hu () gmail com>
Date: Fri, 14 May 2010 17:07:17 +0200
Forwarding this to the mailing list as I got no reply from bugs () snort org

---------- Forwarded message ----------
From: Yun Zheng Hu <yunzheng.hu () gmail com>
Date: Tue, Apr 27, 2010 at 15:06
Subject: Inconsistencies with ruletype definition in >= Snort 2.8.5.3
To: bugs () snort org


Hello,

We use the 'ruletype' definition to mark some rules as 'pending',
which means they only log to a file instead of creating a unified log
file.
We used to use Snort 2.8.4.1 but with the change of some keywords in
VRT we are transitioning to Snort 2.8.6.

We found out that on one of our production sensors the 'pending'
ruletype stopped working when upgrading to Snort 2.8.5.1, (also tested
on 2.8.6). If have been able to reduce the problem to a minimal pcap
and ruleset to fully reproduce the bug.

See the attachment:

$ tar -zxvf test-case.tar.gz
$ cd test-case
$ ./test-bug.sh
# you see that the 'snort.pending' file is empty, so snort bugged.

$ ./test-no-bug.sh
# you see that the 'snort.pending' file works, because it contains data.

the two shell scripts are the same but include a different snort
config file. In which the only difference between these two files is
the definition of a subnet that is used in one of the rules.

Some info that was required for submitting a bug:
 - Runnning Snort 2.8.5, also tested on 2.8.6
 - There are only 2 rules in the test set.
 - Snort was built from Gentoo ebuilds.
 - Config files are included in the tar.gz
 - Snort runs on Gentoo Linux on a Dell 1950 (32 bits)
 - I know the HOME_NET definition is really big, but we use this
method to exclude specific ip addresses as they are web  proxy
servers. (and thus EXTERNAL).
 - the attached test-case should provide everything you need.

Hope you guys can debug/fix the problem with the test setup. In the
meanwhile we are forced to stop using the 'ruletype' feature. If you
need more information please let me know.

Regards,
Yun

Attachment: test-case.tar.gz
Description: 

------------------------------------------------------------------------------


_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Previous By Date Next
Previous By Thread Next

Current thread: