Re: Repeating question re: problems with director operators.

[Jesus Couto <jesus.couto () satec es>]

No, the lines are not split in the configuration, cause if they were I 
wouldnt get snort recording anything. Its an artifact of cutting & 
pasting them to the email client.

And the problem is not replacing 2 rules in different directions with 
one with <>; the problem is writing a new rule and thinking you are 
"safe" (not getting attacked) when in fact one of the previous rules is 
making the new one not work, because of this. The second rule doenst 
have to be exactly the same as the first; you may be checking for 
another kind of packet, but that rule will never be triggered as long as 
there  is another first with the same networks and ports and different 
direction.

Adding to that the fact that the content  option doesnt work with <- 
rules, which renders some rules of the distribution worthless (example: 
sid 717), the fact is that the <- operator is seriously broken (well, it 
was never mentioned in the manual to begin with, but snort doesnt croak 
when it see its and it "works" sometimes), and all rules should be 
writen with ->.

So unless I'm terribly mistaken and missing something obvious, this is a 
bug. Thats my question.

Jesús Couto F.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users