[Snort-users] Re: [Snort-sigs] RE: Ignoring Win32 SNMP printer checks

Nerijus Krukauskas nk99 at ...10637...
Mon May 24 23:05:24 EDT 2004


   OK, I found, but this is very weird. Although I already noticed 
similar snort behavior. Sometimes it doesn't like the spaces in 
config/rules. Some time ago, few of my custom rules didn't work just 
because there was (e.g.) 'content: "<something>"', instead of 
'content:"<something>"'. This time it happened to subnet list in 
HOME_NET. It was defined like 'HOME_NET [<subnet>, <subnet>]'. Right 
after I removed the space after the comma, the rule started to apply.
   Anyway, the rule now works as expected.

nnposter wrote:
> Does it alert consistently on the captured packet when replayed?
> Does it alert on the "good" sensor when replayed?
> 
> 
> From: "Nerijus Krukauskas" <nk99 at ...10637...>
> 
>>   Yup. HOME_NET is defined with subnets, where both addresses (from 
>>the sample below) falls within. The strange thing is that another 
>>sensor in  another segment is behaving like expected. Although the 
>>config between them differs only in sensor_name in db output. The 
>>trouble is caused just in one IP subnet.
>>   Seems like I have overlooked something very small, yet not so 
>>obvious... If I'm gonna find this, I will post the results.
>>
>>nnposter at ...603... wrote:
>>
>>>I do not see an obvious explanation. Have you also checked that the IP 
>>>addresses fall the rule scope?


-- 
NK @ Vilnius
nk.tinkle.lt

It shall be unlawful for any suspicious person to be within the 
municipality. -- Local ordinance, Euclid Ohio




More information about the Snort-users mailing list