[Snort-users] Rule Order
rshuck at ...6736...
Fri May 2 05:45:53 EDT 2003
That is what I saw in production, and in my testing. If I looked at the
packet dump, it should have triggered an L3 or Windows Ping, etc., but
instead only triggers the "undefined code". Changing the order back to
default will make the same configuration trigger correctly.
It's kind of like a Pink Elephant. I'm not glad it's there, but at least
someone else sees it. ;-)
Ron Shuck, CISSP, GCIA - Managing Consultant
Buchanan Associates - A Technology Company in the People Business
From: Allan Dover [mailto:allan at ...8825...]
Sent: Friday, May 02, 2003 7:29 AM
To: Ron Shuck; snort-users at lists.sourceforge.net
Cc: snort-devel at lists.sourceforge.net
Subject: Re: [Snort-users] Rule Order
I am having the same problem as you. As soon as I switched to pass alert
log, I am getting undefined icmp errors. Interestingly enough these were
known icmp alerts L3retriever and so on.
I am still a piglet with snort ( dont like using newbie ) Anyone have any
other suggestions ?
This e-mail communication (including any or all attachments) is intended
only for the use of the person or entity to which it is addressed and may
contain confidential and/or privileged material. If you are not the
intended recipient of this e-mail, any use, review, retransmission,
distribution, dissemination, copying, printing, or other use of, or taking
of any action in reliance upon this e-mail, is strictly prohibited. If you
have received this e-mail in error, please contact the sender and delete
the original and any copy of this e-mail and any printout thereof,
immediately. Your co-operation is appreciated.
----- Original Message -----
From: "Ron Shuck" <rshuck at ...6736...>
To: <snort-users at lists.sourceforge.net>
Cc: <snort-devel at lists.sourceforge.net>
Sent: Thursday, May 01, 2003 3:33 PM
Subject: [Snort-users] Rule Order
> Has anyone else changed the rule order under 2.0?
> When I upgraded to 2.0, I started having problems with ICMP alerts
> when my rule order was set to 'pass alert log'. Actually, any setting
> other than default caused problems. ICMP alerts happen, they just skip
> the normal rule and trigger the "Undefined Code" rule.
> Ron Shuck, CISSP, GCIA - Managing Consultant
> Buchanan Associates - A Technology Company in the People Business
> http://www.buchanan.com http://www.isc2.org
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3099 bytes
Desc: not available
More information about the Snort-users