[Snort-devel] ruletype declaration breaks u2 output for log_uri/log_hostname (with testcase)

Martijn van Oosterhout kleptog at ...2499...
Thu Jun 12 05:31:33 EDT 2014


On 11 June 2014 19:17, Joel Esler (jesler) <jesler at ...3461...> wrote:

>  On Jun 11, 2014, at 12:01 PM, Martijn van Oosterhout <kleptog at ...2499...>
> wrote:
>
> Snort version: 2.9.6.0, but appears to affect older versions as well
>
>  I have to ask…  Did you replicate it with the current shipping version?
>  2.9.6.1?
>
>
>
Fails there too. Attached are two typescript outputs for two successive
runs on 2.9.6.1, using a pristine tarball from the website built with
./configure --enable-debug. The only difference between the two runs is the
comment symbol in the snort.conf. As to why Nicholas can't reproduce it, I
don't know. I've included the md5sums of the config files to see if there
are other possibilities.

I also checked with strace that it was loading the correct config files.

Anything else I can try?

Have a nice day,
-- 
Martijn van Oosterhout <kleptog at ...2499...> http://svana.org/kleptog/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140612/577dafbe/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: typescript.fail
Type: application/octet-stream
Size: 20905 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140612/577dafbe/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: typescript.ok
Type: application/octet-stream
Size: 20873 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140612/577dafbe/attachment-0001.obj>


More information about the Snort-devel mailing list