[Snort-devel] Possible bug

Bob Fawcett bobf at ...111...
Fri Nov 3 07:47:50 EST 2000


I posted the following to snort-users.
----

I am brand new to snort.
I have snort 1.6.3 running on an NT 4.0 workstation with a nearly 
stock copy of rules 10102k.
I get an alert in the alert.ids file but no decode in net.net.subnet 
directory.  This only happens for a few rules, most of the rules create 
the subdirectory in the log directory as expected.

A specific example:
when this rule triggers
 alert TCP !$HOME_NET any -> $HOME_NET 2301 (msg:"IDS244 - 
CVE-1999-0771 - Compaq-insight-dot-dot"; content: "../"; )
I get no subdirectory for the IP that triggered it. The IP is in my 
alerts.ids file. (The rules are all one line long - wrap is for email).

Thanks for any help
----
Got a reply and tried this::
---
Ahhh.... What you might want to try is add a logto: statement to the
event.
This will cause the info to be logged to a file. That way you can see if
it
is a rule issue or possibly a bug. For example...

alert TCP !$HOME_NET any -> $HOME_NET 2301 (logto:
"insightdotdot.txt";msg:"IDS244 -CVE-1999-0771 -
Compaq-insight-dot-dot";
content: "../"; )

This should log the packet contents to the file insightdotdot.txt in
logdir.

Hope that helps.

--------

I added a logto to the rule and it posts the packets in the expected file. 
The example I gave is just one of several I have seen were I get an 
alert but no IP-named subdirectory in the logdir with packets. I will try 
to supply any other info needed if this is in fact a bug. It may be just 
my setup. If you need new info please email me direct, I don't monitor 
this list.


Bob Fawcett
bobf at ...111...



More information about the Snort-devel mailing list