[Snort-users] Repeating question re: problems with director operators.
bmc at ...950...
Thu Mar 7 10:45:51 EST 2002
According to John Sage:
> > Adding to that the fact that the content option doesnt work with <-
> > rules, which renders some rules of the distribution worthless (example:
> > sid 717), the fact is that the <- operator is seriously broken (well, it
> > was never mentioned in the manual to begin with, but snort doesnt croak
> > when it see its and it "works" sometimes), and all rules should be
> > writen with ->.
> Here's the best thought: why can't you re-write your rules so the
> directional is uni-directional only, and just go on with your work...
> It may be true that what you're trying to do doesn't work; personally,
> I'd find a different way to do it.
You are correct. <- is broken, and has been removed from CURRENT.
All signatures with it need to be updated. I have updated the
signatures in CURRENT that use this broken feature. I will be
syncing the rules again this evening after another round of updates.
More information about the Snort-users