[Snort-devel] same content different service, only first rule honored.

Chris Green cmg at ...402...
Thu May 2 13:39:33 EDT 2002


Phil Wood <cpw at ...86...> writes:

> Is this a known problem?
>
> Given:
>
>   The following two rules;
>
> redalert tcp any 18 -> any any (msg: "SYSTEM COMPROMISED id check returned root"; flags:A+; content: "uid=0(root)"; classtype:successful-admin ; sid:20018; rev:2;)
> redalert tcp any 19 -> any any (msg: "SYSTEM COMPROMISED id check returned root"; flags:A+; content: "uid=0(root)"; classtype:successful-admin ; sid:20019; rev:2;)
>
> Where redalert is defined as:
>
>   ruletype redalert
>   {
>     type alert
>     output alert_syslog: $SYSFACILITY $SYSPRIORITY $SYSOPTIONS
>   }
>
>
> Then:
>
> Only rule "18" will fire when sent packet with source port of 18.
> Rule "19" will not trigger.  Is this a problem with new pattern matching code?
>
> To test this do the following:
>
> On the server:
> while true; do
>   nc -p 1022 -l
> done
>
> On the client:
>
> for p in 18 19; do id | nc -p $p server 1022;sleep 2; done
>
> Check your logs.  Only the port 18 packet will show up.

Hrm.

May  2 15:26:13 apoc snort: [1:20018:2] SYSTEM COMPROMISED id check
returned root {TCP} 172.16.1.14:18 -> xxx.xxx.xxx.xxx:80
May  2 15:26:13 apoc snort: [1:20019:2] SYSTEM COMPROMISED id check
returned root {TCP} 172.16.1.14:19 -> xxx.xxx.xxx.xxx:80

Is me doing it on current. Hrm.

It worked the same with alert instead of redalert as well
-- 
Chris Green <cmg at ...402...>
"I'm beginning to think that my router may be confused."




More information about the Snort-devel mailing list