[Snort-users] Problem with version 1.6.2.2 and above...

Martin Roesch roesch at ...1...
Thu Jul 20 22:04:11 EDT 2000


Was the dsize argument wrapped in quotes in version 1.6?  If so it would have
been screwed up due to the fact that quoted arguments to that plugin (and some
others) would give unexpected results.  

There's a function in the program now to strip the quotes off of these types
of arguments in the parser, so what you're seeing now is probably the
*correct* behavior.

    -Marty


Thayne wrote:
> 
> Thanx for the reply Marty,
> 
> Turning the rule off is not such a problem.  I just thought it peculiar that
> it only does this in versions 1.6.2.2 and above, but not 1.6 even though our
> 1.6 implementation has the exact same rule (alert icmp !$HOME_NET any ->
> $HOME_NET any (msg:"IDS162 - PING Nmap2.36BETA";itype:8;dsize:0;)).  And
> they are indeed pings with no payload. Just seemed rather odd.
> 
> Other than that, 1.6.3-Beta6 seems to be running flawlessly.  Keep up the
> good work, and thanks for all your time.
> 
> Thayne
> fellow snortster
> 
> ----- Original Message -----
> From: Martin Roesch <roesch at ...1...>
> To: Guy Bruneau <bruneau at ...126...>
> Cc: Thayne Allen <thayne_a at ...125...>; <snort-users at lists.sourceforge.net>
> Sent: Thursday, July 20, 2000 8:27 PM
> Subject: Re: [Snort-users] Problem with version 1.6.2.2 and above...
> 
> > Turn the rule off?  Seriously, you should be able to examine the packet
> and
> > see if you're getting pings with no payload.  If the rule is incorrect or
> > giving false positives due to a bug, we should know about it.
> >
> > If this alert is annoying for you, just turn the rule off.  Pings can
> hardly
> > be said to be hostile traffic in the most general case, so this rule
> merely
> > provides information.
> >
> >     -Marty
> >
> > Guy Bruneau wrote:
> > >
> > > Yes I have noted the same thing here but I don't know of a fix.
> > >
> > > Guy Bruneau
> > >
> > > Thayne Allen wrote:
> > >
> > > > I was just wondering if anyone else was having this problem:
> > > >
> > > > Whenever I run Snort ver. 1.6.2.2 or 1.6.3-Beta6 on my RedHat box, I
> start
> > > > getting a plethora of IDS162 - PING Nmap2.36BETA alerts coming from
> many
> > > > different IP's, going to various IP's on my network.  Whenever I run
> 1.6
> > > > using the exact same ruleset, I don't get these alerts at all.  Is
> this a
> > > > bug in 1.6.2.2 and above?  Anyone else have this problem or know a
> fix?
> > > > Thanks,
> > > >
> > > > fellow snortster
> > > >
> ________________________________________________________________________
> > > > Get Your Private, Free E-mail from MSN Hotmail at
> http://www.hotmail.com
> > > >
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users at lists.sourceforge.net
> > > > http://lists.sourceforge.net/mailman/listinfo/snort-users
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > http://lists.sourceforge.net/mailman/listinfo/snort-users
> >
> > --
> > Martin Roesch                      <roesch at ...2...>
> > Core R&D                         http://www.hiverworld.com
> > Hiverworld, Inc.       Continuous Adaptive Risk Management
> >

-- 
Martin Roesch                      <roesch at ...2...>
Core R&D                         http://www.hiverworld.com
Hiverworld, Inc.       Continuous Adaptive Risk Management




More information about the Snort-users mailing list