[Snort-users] Snort rules order.
larosa_vjay at ...3331...
Tue Oct 29 12:13:15 EST 2002
I am running snort v 1.9.0 build 209 and I am having a problem with the
ordering of some rules.
I was under the assumption that this didn't matter anymore with snort 1.9.0.
I have two rules,
(trap-db is a custom ruletype I defined. Instead of using alert I use
trap-db to send snmp traps for some events).
trap-db udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP GET Admin.dll";
: "|0001|"; offset:0; depth:2; content:"admin.dll"; nocase;
rence:url,www.cert.org/advisories/CA-2001-26.html; sid:1289; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Get"; content:"|00
01|"; offset:0; de
pth:2; classtype:bad-unknown; sid:1444; rev:2;)
For some reason the second rule gets triggered when I try a tftp session and
do a get admin.dll,
but if I say get passwd the correct passwd rule triggers.
alert udp any any -> any 69 (msg:"TFTP GET passwd"; content: "|0001|";
offset:0; depth:2; co
ntent:"passwd"; nocase; classtype:successful-admin; sid:1443; rev:1;)
Anybody have any clue what might be wrong? Thanks!
V.Jay LaRosa EMC Corporation
Information Security 171 South Street
(508)249-3355 office Hopkinton, MA 01748
(508)498-5575 cell www.emc.com
(888-799-9750 pager larosa_vjay at ...3331...
More information about the Snort-users