[Snort-devel] same content different service, only first rule honored.

Phil Wood cpw at ...86...
Thu May 2 16:39:02 EDT 2002


I'm sorry to have sent the original "Is this a known problem".  I've since
sent an update.  The problem seems to be with multi content rules.  
the port 18/19 was some kind of bad dream.

On Thu, May 02, 2002 at 03:31:12PM -0400, Chris Green wrote:
> Phil Wood <cpw at ...86...> writes:
> 
> > Is this a known problem?
> >
> > Given:
> >
> >   The following two rules;
> >
> > redalert tcp any 18 -> any any (msg: "SYSTEM COMPROMISED id check returned root"; flags:A+; content: "uid=0(root)"; classtype:successful-admin ; sid:20018; rev:2;)
> > redalert tcp any 19 -> any any (msg: "SYSTEM COMPROMISED id check returned root"; flags:A+; content: "uid=0(root)"; classtype:successful-admin ; sid:20019; rev:2;)
> >
> > Where redalert is defined as:
> >
> >   ruletype redalert
> >   {
> >     type alert
> >     output alert_syslog: $SYSFACILITY $SYSPRIORITY $SYSOPTIONS
> >   }
> >
> >
> > Then:
> >
> > Only rule "18" will fire when sent packet with source port of 18.
> > Rule "19" will not trigger.  Is this a problem with new pattern matching code?
> >
> > To test this do the following:
> >
> > On the server:
> > while true; do
> >   nc -p 1022 -l
> > done
> >
> > On the client:
> >
> > for p in 18 19; do id | nc -p $p server 1022;sleep 2; done
> >
> > Check your logs.  Only the port 18 packet will show up.
> 
> Hrm.
> 
> May  2 15:26:13 apoc snort: [1:20018:2] SYSTEM COMPROMISED id check
> returned root {TCP} 172.16.1.14:18 -> xxx.xxx.xxx.xxx:80
> May  2 15:26:13 apoc snort: [1:20019:2] SYSTEM COMPROMISED id check
> returned root {TCP} 172.16.1.14:19 -> xxx.xxx.xxx.xxx:80
> 
> Is me doing it on current. Hrm.
> 
> It worked the same with alert instead of redalert as well
> -- 
> Chris Green <cmg at ...402...>
> "I'm beginning to think that my router may be confused."

-- 
Phil Wood, cpw at ...86...





More information about the Snort-devel mailing list