[Snort-users] Repeating question re: problems with director operators.

Brian bmc at ...950...
Thu Mar 7 10:45:51 EST 2002


According to John Sage:
> > Adding to that the fact that the content  option doesnt work with <- 
> > rules, which renders some rules of the distribution worthless (example: 
> > sid 717), the fact is that the <- operator is seriously broken (well, it 
> > was never mentioned in the manual to begin with, but snort doesnt croak 
> > when it see its and it "works" sometimes), and all rules should be 
> > writen with ->.
> 
> Here's the best thought: why can't you re-write your rules so the
> directional is uni-directional only, and just go on with your work...
> 
> It may be true that what you're trying to do doesn't work; personally,
> I'd find a different way to do it.

You are correct.  <- is broken, and has been removed from CURRENT.
All signatures with it need to be updated.  I have updated the
signatures in CURRENT that use this broken feature.  I will be
syncing the rules again this evening after another round of updates.

-brian




More information about the Snort-users mailing list