[Snort-devel] Reversed direction rules - do they work?

Imran William Smith iwsmith at ...1111...
Mon Mar 4 22:27:01 EST 2002

Using 1.8.4 beta 4:

There are some rules in telnet.rules with a '<-' like

alert tcp $EXTERNAL_NET any <- $HOME_NET 23 (msg:"TELNET root login"; content:"login\: root"; flags: A+; classtype:suspicious-login;
sid:719; rev:1;)

I can see the processing in rules.c that should handle

    if(num_toks > 5 && (strncmp("<-", toks[4], 2) == 0))

But PARSERULE_REVERSED is not #defined anywhere.
So, is this functionality working?

I notice that bidirectional rules (with <>) ARE working,
even though  PARSERULES_BIFURCATE is also not
defined, because there's different code to handle these:

proto_node.flags |= BIDIRECTIONAL;

Which is not #ifdeffed.

Also the PDF manual does not mention <- rules.  So
maybe telnet.rules is in error?

Imran William Smith
Product Development

More information about the Snort-devel mailing list