[Snort-devel] Possible bug

Michael Davis mike at ...27...
Fri Nov 3 23:50:44 EST 2000

Hash: SHA1


    Sorry I never replaied to you in -users, I lost the message in
the fray :) Can you please sent me a copy of your complete rules
file, what command line args you are using, Service Pack, and version
of the winpcap driver.

Hopefully we can get to the bottom of this because I have test
snort-win32 extensivly and never had this problem.

Michael Davis
Chief Technical Officer
Data Nerds, LLC.

- ----- Original Message ----- 
From: "Bob Fawcett" <bobf at ...111...>
To: <snort-devel at lists.sourceforge.net>
Sent: Friday, November 03, 2000 6:47 AM
Subject: [Snort-devel] Possible bug

> I posted the following to snort-users.
> ----
> I am brand new to snort.
> I have snort 1.6.3 running on an NT 4.0 workstation with a nearly 
> stock copy of rules 10102k.
> I get an alert in the alert.ids file but no decode in
> net.net.subnet  directory.  This only happens for a few rules, most
> of the rules create  the subdirectory in the log directory as
> expected.
> A specific example:
> when this rule triggers
>  alert TCP !$HOME_NET any -> $HOME_NET 2301 (msg:"IDS244 - 
> CVE-1999-0771 - Compaq-insight-dot-dot"; content: "../"; )
> I get no subdirectory for the IP that triggered it. The IP is in my
>  alerts.ids file. (The rules are all one line long - wrap is for
> email).  
> Thanks for any help
> ----
> Got a reply and tried this::
> ---
> Ahhh.... What you might want to try is add a logto: statement to
> the event.
> This will cause the info to be logged to a file. That way you can
> see if it
> is a rule issue or possibly a bug. For example...
> alert TCP !$HOME_NET any -> $HOME_NET 2301 (logto:
> "insightdotdot.txt";msg:"IDS244 -CVE-1999-0771 -
> Compaq-insight-dot-dot";
> content: "../"; )
> This should log the packet contents to the file insightdotdot.txt
> in logdir.
> Hope that helps.
> --------
> I added a logto to the rule and it posts the packets in the
> expected file.  The example I gave is just one of several I have
> seen were I get an  alert but no IP-named subdirectory in the
> logdir with packets. I will try  to supply any other info needed if
> this is in fact a bug. It may be just  my setup. If you need new
> info please email me direct, I don't monitor  this list.
> Bob Fawcett
> bobf at ...111...
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-devel

Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>


More information about the Snort-devel mailing list