[Snort-devel] Fwd: Inconsistencies with ruletype definition in >= Snort

Yun Zheng Hu yunzheng.hu at ...2499...
Fri May 14 11:07:17 EDT 2010

Forwarding this to the mailing list as I got no reply from bugs at ...835...

---------- Forwarded message ----------
From: Yun Zheng Hu <yunzheng.hu at ...2499...>
Date: Tue, Apr 27, 2010 at 15:06
Subject: Inconsistencies with ruletype definition in >= Snort
To: bugs at ...835...


We use the 'ruletype' definition to mark some rules as 'pending',
which means they only log to a file instead of creating a unified log
We used to use Snort but with the change of some keywords in
VRT we are transitioning to Snort 2.8.6.

We found out that on one of our production sensors the 'pending'
ruletype stopped working when upgrading to Snort, (also tested
on 2.8.6). If have been able to reduce the problem to a minimal pcap
and ruleset to fully reproduce the bug.

See the attachment:

$ tar -zxvf test-case.tar.gz
$ cd test-case
$ ./test-bug.sh
# you see that the 'snort.pending' file is empty, so snort bugged.

$ ./test-no-bug.sh
# you see that the 'snort.pending' file works, because it contains data.

the two shell scripts are the same but include a different snort
config file. In which the only difference between these two files is
the definition of a subnet that is used in one of the rules.

Some info that was required for submitting a bug:
 - Runnning Snort 2.8.5, also tested on 2.8.6
 - There are only 2 rules in the test set.
 - Snort was built from Gentoo ebuilds.
 - Config files are included in the tar.gz
 - Snort runs on Gentoo Linux on a Dell 1950 (32 bits)
 - I know the HOME_NET definition is really big, but we use this
method to exclude specific ip addresses as they are web  proxy
servers. (and thus EXTERNAL).
 - the attached test-case should provide everything you need.

Hope you guys can debug/fix the problem with the test setup. In the
meanwhile we are forced to stop using the 'ruletype' feature. If you
need more information please let me know.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: test-case.tar.gz
Type: application/x-gzip
Size: 8721 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20100514/5cb69755/attachment.bin>

More information about the Snort-devel mailing list