[Snort-devel] Possible bug in event queue processing - Would really appreciate some insight

Peter Politopoulos ppolitop at ...2499...
Sun May 15 08:02:02 EDT 2011


Greetings,
I would like to report a strange behavior which may or may not be a bug. What matters most at the moment for my snort development is whether this behavior is consistent or not.

Suppose we run Snort with only 2 rules:
              ------------
              stats icmp $HOME_NET any <> $EXTERNAL_NET any (msg:"ICMP"; sid:1000003; rev:1; priority:1;)
              stats ip $HOME_NET any <> $EXTERNAL_NET any (msg:"ALL"; sid:1000004; rev:1; priority:4;)
              ------------

where stats is defined as:
            ------------
             ruletype stats
            {
             type alert
             output alert_csv: stdout msg,dgmlen
             output log_null
            }
            ------------
...and event queue is configured like this:
             ------------
             config event_queue: log 1 order_events priority
             ------------
According to snort manual "priority - The highest priority (1 being the highest) events are ordered first."

Well, here is my surprise result - running a ping will produce only an "ALL" match alert.
If I give higher priority to "ALL" then it will always produce an "ICMP" match alert - i.e. snort produces 1 alert and this for the _lowest_ priority event match.

If I config the queue to log 2 then I get both alerts but again with inverted priority - ALL shows up first and ICMP shows second.
Is this a bug, expected behavior or an artifact? Most importantly is this consistent?

I am running Snort Version 2.8.5.2 (Build 121) on Debian.

Thank you for helping out!
Peter





More information about the Snort-devel mailing list