[Snort-users] Re: [Snort-sigs] RE: Ignoring Win32 SNMP printer checks
nk99 at ...10637...
Mon May 24 23:05:24 EDT 2004
OK, I found, but this is very weird. Although I already noticed
similar snort behavior. Sometimes it doesn't like the spaces in
config/rules. Some time ago, few of my custom rules didn't work just
because there was (e.g.) 'content: "<something>"', instead of
'content:"<something>"'. This time it happened to subnet list in
HOME_NET. It was defined like 'HOME_NET [<subnet>, <subnet>]'. Right
after I removed the space after the comma, the rule started to apply.
Anyway, the rule now works as expected.
> Does it alert consistently on the captured packet when replayed?
> Does it alert on the "good" sensor when replayed?
> From: "Nerijus Krukauskas" <nk99 at ...10637...>
>> Yup. HOME_NET is defined with subnets, where both addresses (from
>>the sample below) falls within. The strange thing is that another
>>sensor in another segment is behaving like expected. Although the
>>config between them differs only in sensor_name in db output. The
>>trouble is caused just in one IP subnet.
>> Seems like I have overlooked something very small, yet not so
>>obvious... If I'm gonna find this, I will post the results.
>>nnposter at ...603... wrote:
>>>I do not see an obvious explanation. Have you also checked that the IP
>>>addresses fall the rule scope?
NK @ Vilnius
It shall be unlawful for any suspicious person to be within the
municipality. -- Local ordinance, Euclid Ohio
More information about the Snort-users