[Snort-devel] [Bug #131641] include directives do not work right.

Martin Roesch roesch at ...48...
Fri Feb 9 02:21:59 EST 2001


I'm having a hard time making sense of this bug report, does anyone else
know what it's saying?  Is this person trying to detect IDS152 or pass
it?  From the description below it appears that everything is working
fine (i.e. pass rules are considered before alert rules when -o is
specified, regardless of relative ordering of the rules).


   -Marty

noreply at ...12... wrote:
> 
> Bug #131641, was updated on 2001-Feb-08 19:15
> Here is a current snapshot of the bug.
> 
> Project: Snort
> Category: None
> Status: Open
> Resolution: None
> Bug Group: None
> Priority: 5
> Submitted by: ajlill
> Assigned to : nobody
> Summary: include directives do not work right.
> 
> Details: Invoking snort 1.7 with the following options:
> /usr/local/bin/snort -opNs -c /usr/local/etc/vision.conf -i eth0
> the following vision.conf, and the ping-lib from the snort distribution
> causes alerts for IDS152. The pass rule is copied from the ping-lib file
> and alert changed to pass. If I include the contents of ping-lib in the
> vision.conf file instead of using the include directive, no alert is
> generated, as I expect. This is on RedHat 6.2 and 7.0
> 
> var HOME_NET 192.168.0.4/32
> include /usr/local/etc/snort/ping-lib
> pass icmp any any -> $HOME_NET any (msg:"IDS152 - PING BSD"; content: "|08
> 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17|"; itype: 8; depth: 32;)
> 
> For detailed info, follow this link:
> http://sourceforge.net/bugs/?func=detailbug&bug_id=131641&group_id=3357
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list