[Snort-devel] Possible bug in event queue processing - Would really appreciate some insight

Joel Esler jesler at ...402...
Sun May 15 08:38:20 EDT 2011


Peter, thanks.

We had an internal bug on this and it's fixed in Snort 2.9.1.

However, you should not use such an old version of Snort (2.8.5.2), our current version is 2.9.0.5

J

On May 15, 2011, at 8:02 AM, Peter Politopoulos wrote:

> 
> Greetings,
> I would like to report a strange behavior which may or may not be a bug. What matters most at the moment for my snort development is whether this behavior is consistent or not.
> 
> Suppose we run Snort with only 2 rules:
>              ------------
>              stats icmp $HOME_NET any <> $EXTERNAL_NET any (msg:"ICMP"; sid:1000003; rev:1; priority:1;)
>              stats ip $HOME_NET any <> $EXTERNAL_NET any (msg:"ALL"; sid:1000004; rev:1; priority:4;)
>              ------------
> 
> where stats is defined as:
>            ------------
>             ruletype stats
>            {
>             type alert
>             output alert_csv: stdout msg,dgmlen
>             output log_null
>            }
>            ------------
> ...and event queue is configured like this:
>             ------------
>             config event_queue: log 1 order_events priority
>             ------------
> According to snort manual "priority - The highest priority (1 being the highest) events are ordered first."
> 
> Well, here is my surprise result - running a ping will produce only an "ALL" match alert.
> If I give higher priority to "ALL" then it will always produce an "ICMP" match alert - i.e. snort produces 1 alert and this for the _lowest_ priority event match.
> 
> If I config the queue to log 2 then I get both alerts but again with inverted priority - ALL shows up first and ICMP shows second.
> Is this a bug, expected behavior or an artifact? Most importantly is this consistent?
> 
> I am running Snort Version 2.8.5.2 (Build 121) on Debian.
> 
> Thank you for helping out!
> Peter
> 
> 
> ------------------------------------------------------------------------------
> Achieve unprecedented app performance and reliability
> What every C/C++ and Fortran developer should know.
> Learn how Intel has extended the reach of its next-generation tools
> to help boost performance applications - inlcuding clusters.
> http://p.sf.net/sfu/intel-dev2devmay
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel





More information about the Snort-devel mailing list