[Snort-users] Rules: flags burp using 2.0.2?

John Sage jsage at ...2022...
Mon Sep 22 11:17:12 EDT 2003


On Mon, Sep 22, 2003 at 11:36:36AM -0400, Matt Kettler wrote:
> tatus: RO
> Content-Length: 1352
> Lines: 34
> At 08:31 PM 9/21/2003, John Sage wrote:
> >Rather than picking up these, it drops through to the generic TCP:135
> >rule I've got, which confuses what I'm trying to do...
> >
> >Wha' happen' between 1.9.1 and here, flags-wise?
> That sounds more like a rule-ordering difference than anything else. Snort 
> does not necessarily process rules in the same order that they appear in 
> your rule files, although that is somewhat of a factor.


That brings back a faint memory from about 1.8.7 or so, methinks..

> Now, I do recall someone claiming that 2.x was going to change rule 
> processing so that every rule that matched a given packet would fire. This 
> would lead to a single packet triggering both of your rules. However, I 
> don't know if this made it into the final 2.x, and the behavior you are 
> seeing would seem to indicate that it did not.
> You might try disabling your generic rule, and see if the flag ones start 
> firing off. If the do, it's probably a rule order thing.

I'll try this (in fact it's live, right now...) and see what happens.

Thanks.. (BTW: still dunno about that blocking deal...)

- John
"Warning: time of day goes back, taking countermeasures."
John Sage
InfoSec Groupie
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
ATTENTION: this message is privileged communication. If you read it
even though you aren't supposed to, you're a poopy-head.

More information about the Snort-users mailing list