[Snort-devel] [ snort-Bugs-231641 ] include directives do not work right.

noreply at ...12... noreply at ...12...
Thu Sep 27 23:44:06 EDT 2001


Bugs item #231641, was opened at 2001-02-08 19:15
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=231641&group_id=3357

Category: None
Group: None
>Status: Deleted
>Resolution: Out of Date
Priority: 5
Submitted By: Tony LIll (ajlill)
>Assigned to: Martin Roesch (roesch)
Summary: include directives do not work right.

Initial Comment:
Invoking snort 1.7 with the following options:
/usr/local/bin/snort -opNs -c /usr/local/etc/vision.conf -i eth0
the following vision.conf, and the ping-lib from the snort distribution causes alerts for IDS152. The pass rule is copied from the ping-lib file and alert changed to pass. If I include the contents of ping-lib in the vision.conf file instead of using the include directive, no alert is generated, as I expect. This is on RedHat 6.2 and 7.0

var HOME_NET 192.168.0.4/32
include /usr/local/etc/snort/ping-lib
pass icmp any any -> $HOME_NET any (msg:"IDS152 - PING BSD"; content: "|08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17|"; itype: 8; depth: 32;) 


----------------------------------------------------------------------

Comment By: Martin Roesch (roesch)
Date: 2001-03-26 15:04

Message:
Logged In: YES 
user_id=18573

Ok, there was a bug in the rule ordering code that I believe
caused this problem.  We committed a fix for it to CVS a
couple weeks ago, try it out and let me know how it goes.

----------------------------------------------------------------------

Comment By: Tony LIll (ajlill)
Date: 2001-03-13 20:14

Message:
Logged In: YES 
user_id=21656

I hate to disagree with the author or a program about how it
works, but...
Since pass and alert rules are linked into different lists,
and there is only one pass rule, and I am using the -o
option, the order it appears in the config file should not 
matter. I compiled the program with -DDEBUG, and, aside from
the rule numbering being off by one, I got the same
structure whether I put the pass rule before or after the
include.

Even if order did matter, why does it behave 
differently if I include the contents of ping-lib in 
vision.conf while keeping the order the same.



----------------------------------------------------------------------

Comment By: Martin Roesch (roesch)
Date: 2001-03-05 12:44

Message:
Logged In: YES 
user_id=18573

You need to put the pass rule before the include if you want 
it to work.  See the snort-users mailing list archives for a 
description of how rule ordering works.

----------------------------------------------------------------------

Comment By: Tony LIll (ajlill)
Date: 2001-02-09 14:00

Message:
I just tried re-compiling snort with -DDEBUG, and the problem sent away. I also tried a debug malloc library, and the problem went away when checking for overflows, but not underflows.  Unfortunately, I couldn't get it to print anything usefull.

----------------------------------------------------------------------

Comment By: Tony LIll (ajlill)
Date: 2001-02-08 20:42

Message:
I just tried re-compiling snort with -DDEBUG, and the problem sent away. I also tried a debug malloc library, and the problem went away when checking for overflows, but not underflows.  Unfortunately, I couldn't get it to print anything usefull.

----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=231641&group_id=3357




More information about the Snort-devel mailing list