[Snort-users] Repeating question re: problems with director operators.

Jesus Couto jesus.couto at ...3830...
Tue Mar 5 03:26:06 EST 2002


Hi,

I have not read any answer acknolwedging this problem.

To repeat, all testing I have done in snort-1.8.3 and the 1.8.4 betas 
show the same behavior: if there is a rule defined with
one operator, a rule that has the same networks and ports both to the 
left and to the right of the operator but uses the operator on the other 
direction is ignored.

Example:

alert tcp [199.170.88.41,199.170.88.21,199.170.88.39] 80 -> 
213.164.32.133 any (msg:"http resp  www.io.com";)
alert tcp [199.170.88.41,199.170.88.21,199.170.88.39] 80 <- 
213.164.32.133 any (msg:"http req www.io.com";)

Never shows any alert for request traffic, and the inverse

alert tcp [199.170.88.41,199.170.88.21,199.170.88.39] 80 <- 
213.164.32.133 any (msg:"http req www.io.com";)
alert tcp [199.170.88.41,199.170.88.21,199.170.88.39] 80 -> 
213.164.32.133 any (msg:"http resp  www.io.com";)

Never shows any alarms with the answers from the website. Either rule, 
alone, works, and rewriting them to use the -> operator (switching the 
left and right network and port definitions) works.

Also, it seems to be a problem with the content option in rules about 
tcp traffic with the <- operator; for example:

alert tcp [199.170.88.41,199.170.88.21,199.170.88.39] 80 -> 
213.164.32.133 any (msg:"http resp  www.io.com"; content: "I";)

generates alarms when brownsing www.io.com, but

alert tcp 213.164.32.133 any <- 
[199.170.88.41,199.170.88.21,199.170.88.39] 80 (msg:"http resp  
www.io.com"; content: "I";)

doesnt. Tried changing options and dissabling stream4 and 
stream4_reassemble without results.

Platform: snort-1.8.3 and all the .4 betas running on Linux 2.2.17 (Debian).

Can anybody else can repeat the test and confirm this?

Jesús Couto F.





More information about the Snort-users mailing list