[Snort-users] RE: Snort-users digest, Vol 1 #3204 - 10 msgs

Ron Shuck rshuck at ...6736...
Wed May 28 07:49:12 EDT 2003


Hi,

I noticed this behavior as well. It occurs any time the order is changed
in any way. I started noticing it with ICMP traffic triggering on the
'undefined code' instead of the ping or whatever. I have since found
another rule that is not triggering. I have yet to find the problem.
There was one other person that responded to one of my earlier posts
that was seeing the same issue. I use the same order you described. I
tried both with the -o and with the 'config' statement in the
snort.conf. Both cause the same issue.

Sorry, that doesn't help much, but at least there are others seeing the
same thing. I haven't seen a post from Marty or Chris about this, I am
just assuming that it is corrected or will be corrected in the CVS. I
haven't had a chance to take a look.

Ron Shuck, CISSP, GCIA, CCSE - Managing Consultant 
Buchanan Associates - A Technology Company in the People Business 
http://www.buchanan.com 
http://www.isc2.org
http://www.giac.org


-----Original Message-----
Date: Mon, 26 May 2003 22:17:26 -0400
From: lpj0508 at ...2792...
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] strange behavior in rule processing?

hi,

i've been using snort 2.0 since it came out. i noticed 1 strange
behavior though. my rule orders are set to pass->alert->log (using -o).
when i need to disable a rule, i usually just copy and paste it in the
pass rule with the pass directive, similar to below:

[root at ...9300... rules]# grep "WEB-MISC http directory traversal" *
pass.rules:pass tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC http directory traversal"; flags:A+; content: "../";
reference:arachnids,297; classtype:attempted-recon; sid:1113;  rev:4;)
pass.rules:pass tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC http directory traversal"; flow:to_server,established;
content: "..\\";reference:arachnids,298; classtype:attempted-recon;
sid:1112;  rev:4;) web-misc.rules:alert tcp $EXTERNAL_NET any ->
$HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC http directory traversal";
flow:to_server,established; content: "..\\";reference:arachnids,298;
classtype:attempted-recon; sid:1112;  rev:4;) web-misc.rules:alert tcp
$EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC http
directory traversal"; flow:to_server,established; content: "../";
reference:arachnids,297; classtype:attempted-recon; sid:1113;  rev:4;)

this has been working fine all along, and with such arrangement i do not
get directory traversal alerts, but recently i've started to get the
directory traversal alerts again, despite not having made any changes
recently.

anyone able to shed some light on this behavior? thanks

lpj

__________________________________________________________________
McAfee VirusScan Online from the Netscape Network. Comprehensive
protection for your entire computer. Get your free trial today!
http://channels.netscape.com/ns/computing/mcafee/index.jsp?promo=393397

Get AOL Instant Messenger 5.1 free of charge.  Download Now!
http://aim.aol.com/aimnew/Aim/register.adp?promo=380455




More information about the Snort-users mailing list