[Snort-users] bug?

Bill Marquette wlmarque at ...8...
Tue Nov 21 19:04:49 EST 2000

Nope, this is correct behavior.  The rules match on the return packet from the
server.  Source address of the packet being matched with the "login incorrect"
message is gutenberg.ussrback.net with the destination of the packet being
timezero.ar-ussrlabs.com.  It might make more sense to log in a more stream
based manner, but I suspect that would be difficult to implement at this time
and to me the flow of traffic seems fairly obvious.


From: eziman ussr <eziman at ...825...> on 11/21/2000 05:40 PM

To:   snort-users at lists.sourceforge.net
Subject:  [Snort-users] bug?

im using the snort 1.6.3 whit 10102k.rules and i have the log

Nov 2 2  07:30:26   IDS127 - TELNET - Login Incorrect
gutenberg.ussrback.net  23   timezero.ar-ussrlabs.com  2535
Nov 2 2  07:31:08   IDS364 - FTP-bad-login   gutenberg.ussrback.net
21   timezero.ar-ussrlabs.com  2536

and is en reverse order! (target are source and source are target).

Are this a bug or missconfigured?




UssrLabs (http://www.ussrback.com)
PGP FingerPrint: 945C D30B AEB8 55FE  3237 7FED 834F A814

Snort-users mailing list
Snort-users at lists.sourceforge.net

More information about the Snort-users mailing list