[Snort-users] Repeating question re: problems with director operators.
jsage at ...2022...
Tue Mar 5 18:47:02 EST 2002
On Tue, Mar 05, 2002 at 05:41:59PM +0100, Jesus Couto wrote:
> No, the lines are not split in the configuration, cause if they were I
> wouldnt get snort recording anything. Its an artifact of cutting &
> pasting them to the email client.
OK: I thought that, but you get to a point where any answer...
> And the problem is not replacing 2 rules in different directions with
> one with <>; the problem is writing a new rule and thinking you are
> "safe" (not getting attacked) when in fact one of the previous rules is
> making the new one not work, because of this. The second rule doenst
> have to be exactly the same as the first; you may be checking for
> another kind of packet, but that rule will never be triggered as long as
> there is another first with the same networks and ports and different
When I grep for '<-' in *.rules and examine some of the results, in no
case do I find two rules where the left side is identical to the right
side (i.e. the only difference between two rules is the direction of the
This suggests something to me...
> Adding to that the fact that the content option doesnt work with <-
> rules, which renders some rules of the distribution worthless (example:
> sid 717), the fact is that the <- operator is seriously broken (well, it
> was never mentioned in the manual to begin with, but snort doesnt croak
> when it see its and it "works" sometimes), and all rules should be
> writen with ->.
Here's the best thought: why can't you re-write your rules so the
directional is uni-directional only, and just go on with your work...
It may be true that what you're trying to do doesn't work; personally,
I'd find a different way to do it.
Most people don't type their own logfiles; but, what do I care?
More information about the Snort-users