[Snort-users] Repeating question re: problems with director operators.

John Sage jsage at ...2022...
Tue Mar 5 08:02:02 EST 2002


See: 

Chapter 2
Writing Snort Rules
How to Write Snort Rules and Keep Your Sanity

Under:

2.2.4  Port Numbers

"There is also a bidirectional operator, which
is indicated with a "<>" symbol."

Example:

log !192.168.1.0/24 any <> 192.168.1.0/24 23


Try that.

Also, a thought: if you're splitting rules onto multiple lines, as
you've always shown, each split line needs to end with a "\"


- John
-- 
Most people don't type their own logfiles;  but, what do I care?



On Tue, Mar 05, 2002 at 12:22:59PM +0100, Jesus Couto wrote:
> Hi,
> 
> I have not read any answer acknolwedging this problem.
> 
> To repeat, all testing I have done in snort-1.8.3 and the 1.8.4 betas 
> show the same behavior: if there is a rule defined with
> one operator, a rule that has the same networks and ports both to the 
> left and to the right of the operator but uses the operator on the other 
> direction is ignored.
> 
> Example:
> 
> alert tcp [199.170.88.41,199.170.88.21,199.170.88.39] 80 -> 
> 213.164.32.133 any (msg:"http resp  www.io.com";)
> alert tcp [199.170.88.41,199.170.88.21,199.170.88.39] 80 <- 
> 213.164.32.133 any (msg:"http req www.io.com";)
> 
> Never shows any alert for request traffic, and the inverse
> 
> alert tcp [199.170.88.41,199.170.88.21,199.170.88.39] 80 <- 
> 213.164.32.133 any (msg:"http req www.io.com";)
> alert tcp [199.170.88.41,199.170.88.21,199.170.88.39] 80 -> 
> 213.164.32.133 any (msg:"http resp  www.io.com";)
> 
> Never shows any alarms with the answers from the website. Either rule, 
> alone, works, and rewriting them to use the -> operator (switching the 
> left and right network and port definitions) works.
> 
> Also, it seems to be a problem with the content option in rules about 
> tcp traffic with the <- operator; for example:
> 
> alert tcp [199.170.88.41,199.170.88.21,199.170.88.39] 80 -> 
> 213.164.32.133 any (msg:"http resp  www.io.com"; content: "I";)
> 
> generates alarms when brownsing www.io.com, but
> 
> alert tcp 213.164.32.133 any <- 
> [199.170.88.41,199.170.88.21,199.170.88.39] 80 (msg:"http resp  
> www.io.com"; content: "I";)
> 
> doesnt. Tried changing options and dissabling stream4 and 
> stream4_reassemble without results.
> 
> Platform: snort-1.8.3 and all the .4 betas running on Linux 2.2.17 (Debian).
> 
> Can anybody else can repeat the test and confirm this?
> 
> Jesús Couto F.




More information about the Snort-users mailing list