[Snort-users] Repeating question re: problems with director operators.

Jesus Couto jesus.couto at ...3830...
Tue Mar 5 03:26:06 EST 2002


I have not read any answer acknolwedging this problem.

To repeat, all testing I have done in snort-1.8.3 and the 1.8.4 betas 
show the same behavior: if there is a rule defined with
one operator, a rule that has the same networks and ports both to the 
left and to the right of the operator but uses the operator on the other 
direction is ignored.


alert tcp [,,] 80 -> any (msg:"http resp  www.io.com";)
alert tcp [,,] 80 <- any (msg:"http req www.io.com";)

Never shows any alert for request traffic, and the inverse

alert tcp [,,] 80 <- any (msg:"http req www.io.com";)
alert tcp [,,] 80 -> any (msg:"http resp  www.io.com";)

Never shows any alarms with the answers from the website. Either rule, 
alone, works, and rewriting them to use the -> operator (switching the 
left and right network and port definitions) works.

Also, it seems to be a problem with the content option in rules about 
tcp traffic with the <- operator; for example:

alert tcp [,,] 80 -> any (msg:"http resp  www.io.com"; content: "I";)

generates alarms when brownsing www.io.com, but

alert tcp any <- 
[,,] 80 (msg:"http resp  
www.io.com"; content: "I";)

doesnt. Tried changing options and dissabling stream4 and 
stream4_reassemble without results.

Platform: snort-1.8.3 and all the .4 betas running on Linux 2.2.17 (Debian).

Can anybody else can repeat the test and confirm this?

Jesús Couto F.

More information about the Snort-users mailing list