[Snort-devel] Reversed direction rules - do they work?

Chris Green cmg at ...835...
Tue Mar 5 06:45:12 EST 2002


"Imran William Smith" <iwsmith at ...1111...> writes:

> Using 1.8.4 beta 4:
>
> There are some rules in telnet.rules with a '<-' like
>
> alert tcp $EXTERNAL_NET any <- $HOME_NET 23 (msg:"TELNET root login"; content:"login\: root"; flags: A+; classtype:suspicious-login;
> sid:719; rev:1;)

These need to be changed.  They are in error.


> But PARSERULE_REVERSED is not #defined anywhere.
> So, is this functionality working?

Theoretically, if you define PARSERULE_REVERSED, it will rewrite the
rule to swap the left and right hand sides and then parse the rules as
normal.

While this patch was accepted, it confused the heck out of people and
the 
>
> I notice that bidirectional rules (with <>) ARE working,
> even though  PARSERULES_BIFURCATE is also not
> defined, because there's different code to handle these:
>

Yes, thats old cruft code that was for when <> didn't work and it
would be inserted as 2 rules.  It needs to be removed from current and
will be reexamined along with the rules parser.


> proto_node.flags |= BIDIRECTIONAL;

And this is the proper one.
>
>
> Which is not #ifdeffed.
>
> Also the PDF manual does not mention <- rules.  So
> maybe telnet.rules is in error?
>

They were a hack I did a long time ( 1.5 years ) and we ended up
deciding that all rules should end up being written the same way so
that theres a bit less thinking needed when looking at a rule.

We will need to change all the <- rules. Thanks for pointing it out.
-- 
Chris Green <cmg at ...835...>
Fame may be fleeting but obscurity is forever.




More information about the Snort-devel mailing list