[Snort-users] Snort rules order.

larosa, vjay larosa_vjay at ...3331...
Tue Oct 29 12:13:15 EST 2002


Hello,

I am running snort v 1.9.0 build 209 and I am having a problem with the
ordering of some rules.
I was under the assumption that this didn't matter anymore with snort 1.9.0.
I have two rules,


(trap-db is a custom ruletype I defined. Instead of using alert I use
trap-db to send snmp traps for some events).

trap-db udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP GET Admin.dll";
content
: "|0001|"; offset:0; depth:2; content:"admin.dll"; nocase;
classtype:successful-admin; refe
rence:url,www.cert.org/advisories/CA-2001-26.html; sid:1289; rev:2;)

and 

alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Get"; content:"|00
01|"; offset:0; de
pth:2; classtype:bad-unknown; sid:1444; rev:2;)

For some reason the second rule gets triggered when I try a tftp session and
do a get admin.dll,
but if I say get passwd the correct passwd rule triggers. 

alert udp any any -> any 69 (msg:"TFTP GET passwd"; content: "|0001|";
offset:0; depth:2; co
ntent:"passwd"; nocase; classtype:successful-admin; sid:1443; rev:1;)


Anybody have any clue what might be wrong? Thanks!

vjl


V.Jay LaRosa                           EMC Corporation
Information Security                  171 South Street
(508)249-3355 office                  Hopkinton, MA 01748
(508)498-5575 cell                     www.emc.com
(888-799-9750 pager                  larosa_vjay at ...3331...
(508)497-8082 fax





More information about the Snort-users mailing list