[Snort-devel] odd problems with 2.3rc2

Russell Fulton r.fulton at ...1343...
Mon Jan 10 13:52:10 EST 2005

On Mon, 2005-01-10 at 10:11 -0500, Matthew Watchinski wrote:
> Is this occurring with rules in the official snort set or only with 
> bleeding snort rules?  If so what are the sids

The real problem seems to be confined to one bleeding snort rule:

Rules/rules/bleeding-malware.rules:alert tcp $HOME_NET any ->
Agent Traffic"; classtype:policy-violation;
reference:url,www.funwebproducts.com; content:"FunWebProducts\;";
nocase; flow:to_server,established; threshold:type limit, track by_src,
count 2, seconds 360; sid:2001034; rev:10;)

I am getting tagged packets on other rules but these could be explained
by Dirk's suggestion.

So what I am seeing is this rule being triggered and the packet
associated with the alert does not have the content that the rule looks
for. These packets also seem to generate tagged packets that also lack
the trigger content.

I have just done a report on alerts for 2001034 aggregated by source
address and the addresses fall clearly into two categories: one with
just one or two alerts and others with lots of alerts.  The second are
genuine alerts, the former are false alerts (at least all the ones I
sampled) and are associated with tagged packets.

Hope this helps, please let me know if I can do any more debugging!
Russell Fulton, Information Security Officer, The University of Auckland
New Zealand

More information about the Snort-devel mailing list