[Snort-users] Snort 1.9 vs 2.0

Jens Krabbenhoeft tschenz-snort-users at ...7018...
Mon Oct 14 01:29:05 EDT 2002


Hi Chris, hi list,

  first of all thanks to sourcefire for releasing their improvements to
the open-source community.

> The biggest end user change in this is that rule ordering matters a
> lot less than it used to. If you specify content options in a rule,
> multiple matches will alert on the longest singular content match.

Is it right, that the new matching "most exact -> less exact -> catch
all" will effect the pass rules as well? Because when using 2.0.0-Build1
with the ruleset for 1.9 I have following "problem":

pass tcp any any -> a.b.c.d 21
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp file
   completion attempt {"; flow:to_server,established; content:"~";
   content:"{"; reference: cve,CAN-2001-0886; reference:bugtraq,3581;
   classtype:misc-attack; sid:1378;  rev:7;)

That's from my ftp.rules (ignore the linefeeds on the second rule *g*),
and it works quite well for 1.9 (where it ignores any traffic to a.b.c.d
port 21) but it doesn't work with 2.0. My debug output shows, that
some of traffic to a.b.c.d gets caught by the pass-rule, other traffic
to a.b.c.d (which BTW is in $HOME_NET) gets caught by the alert rule
(although using -o).

Kind regards,

	Jens




More information about the Snort-users mailing list