[Snort-devel] Possible bug
mike at ...27...
Fri Nov 3 23:50:44 EST 2000
-----BEGIN PGP SIGNED MESSAGE-----
Sorry I never replaied to you in -users, I lost the message in
the fray :) Can you please sent me a copy of your complete rules
file, what command line args you are using, Service Pack, and version
of the winpcap driver.
Hopefully we can get to the bottom of this because I have test
snort-win32 extensivly and never had this problem.
Chief Technical Officer
Data Nerds, LLC.
- ----- Original Message -----
From: "Bob Fawcett" <bobf at ...111...>
To: <snort-devel at lists.sourceforge.net>
Sent: Friday, November 03, 2000 6:47 AM
Subject: [Snort-devel] Possible bug
> I posted the following to snort-users.
> I am brand new to snort.
> I have snort 1.6.3 running on an NT 4.0 workstation with a nearly
> stock copy of rules 10102k.
> I get an alert in the alert.ids file but no decode in
> net.net.subnet directory. This only happens for a few rules, most
> of the rules create the subdirectory in the log directory as
> A specific example:
> when this rule triggers
> alert TCP !$HOME_NET any -> $HOME_NET 2301 (msg:"IDS244 -
> CVE-1999-0771 - Compaq-insight-dot-dot"; content: "../"; )
> I get no subdirectory for the IP that triggered it. The IP is in my
> alerts.ids file. (The rules are all one line long - wrap is for
> Thanks for any help
> Got a reply and tried this::
> Ahhh.... What you might want to try is add a logto: statement to
> the event.
> This will cause the info to be logged to a file. That way you can
> see if it
> is a rule issue or possibly a bug. For example...
> alert TCP !$HOME_NET any -> $HOME_NET 2301 (logto:
> "insightdotdot.txt";msg:"IDS244 -CVE-1999-0771 -
> content: "../"; )
> This should log the packet contents to the file insightdotdot.txt
> in logdir.
> Hope that helps.
> I added a logto to the rule and it posts the packets in the
> expected file. The example I gave is just one of several I have
> seen were I get an alert but no IP-named subdirectory in the
> logdir with packets. I will try to supply any other info needed if
> this is in fact a bug. It may be just my setup. If you need new
> info please email me direct, I don't monitor this list.
> Bob Fawcett
> bobf at ...111...
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
-----END PGP SIGNATURE-----
More information about the Snort-devel