[Snort-sigs] snort-inline and config detection: search-method

Christian Swartzbaugh feofil at ...2420...
Fri Oct 27 18:12:41 EDT 2006


For several search-methods, including the defaults, snort compiled
with inline does not drop in certain cases and in other cases does not
alert. It is not consistent across different search methods either.

snort 2.6.0.2 (with --enable-inline)
config detection: search-method ac-std
(and others)

drop any any -> any any (msg:"does not drop"; content:"12345";
threshold: type both, track by_src, limit 3, seconds 30; )


Different search methods seem to treat dropping all differently, can
anyone describe what the idea is here and why the different search
methods are causing problems for inline? or should I visit
snort-inline mailing lists.

feofil




More information about the Snort-sigs mailing list