[Snort-devel] Reversed direction rules - do they work?

Imran William Smith iwsmith at ...1111...
Mon Mar 4 22:27:01 EST 2002


Using 1.8.4 beta 4:

There are some rules in telnet.rules with a '<-' like

alert tcp $EXTERNAL_NET any <- $HOME_NET 23 (msg:"TELNET root login"; content:"login\: root"; flags: A+; classtype:suspicious-login;
sid:719; rev:1;)

I can see the processing in rules.c that should handle
this:

#ifdef PARSERULE_REVERSED
    if(num_toks > 5 && (strncmp("<-", toks[4], 2) == 0))
    {

But PARSERULE_REVERSED is not #defined anywhere.
So, is this functionality working?

I notice that bidirectional rules (with <>) ARE working,
even though  PARSERULES_BIFURCATE is also not
defined, because there's different code to handle these:

proto_node.flags |= BIDIRECTIONAL;

Which is not #ifdeffed.

Also the PDF manual does not mention <- rules.  So
maybe telnet.rules is in error?


--
Imran William Smith
Product Development
x4207





More information about the Snort-devel mailing list