[Snort-devel] same content different service, only first rule honored.

Phil Wood cpw at ...86...
Tue Apr 30 16:01:12 EDT 2002


Is this a known problem?

Given:

  The following two rules;

redalert tcp any 18 -> any any (msg: "SYSTEM COMPROMISED id check returned root"; flags:A+; content: "uid=0(root)"; classtype:successful-admin ; sid:20018; rev:2;)
redalert tcp any 19 -> any any (msg: "SYSTEM COMPROMISED id check returned root"; flags:A+; content: "uid=0(root)"; classtype:successful-admin ; sid:20019; rev:2;)

Where redalert is defined as:

  ruletype redalert
  {
    type alert
    output alert_syslog: $SYSFACILITY $SYSPRIORITY $SYSOPTIONS
  }


Then:

Only rule "18" will fire when sent packet with source port of 18.
Rule "19" will not trigger.  Is this a problem with new pattern matching code?

To test this do the following:

On the server:
while true; do
  nc -p 1022 -l
done

On the client:

for p in 18 19; do id | nc -p $p server 1022;sleep 2; done

Check your logs.  Only the port 18 packet will show up.
 
Thanks,

Phil




More information about the Snort-devel mailing list