Snort mailing list archives
Re: stream4 oddity
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 24 Apr 2002 10:02:09 -0500
On Wed, 2002-04-24 at 07:04, Chris Green wrote:
Ok need more specifics here on what traffic, what rule, and how your rule type is defined. Rule types are one of the edge cases of snort that isn't tested very often and needs to be replaced with a cleaner functionality
Hi Chris, after reviewing the logs this morning, I'm not convinced that it is stream4 related. My IDS's doesn't alert at all anymore, except for three custom rules [alert tcp $EXTERNAL_NET any -> $UNUSED any (msg:"TCP Port Scan";)]. Maybe the problem is in the sid or classification files. I will reload the whole thing from scratch today and let you know what I find. The rule type defined was: ruletype block { type alert output alert_fwsam: xxx/xxx } I know it wasn't SnortSam since substituting this line with 'output alert_full: test.log' had the same results, and moving alert_fwsam out of the custom alert works too. I have a test rule defined as: alert icmp any any -> 1.2.3.4 any (msg:"Test Ping";fwsam: dst, 5 secs;) that is working with alert, but not with block. Again, all Snort rules stopped working last night, except for some custom rules without sid's. I'll spend more time on it today and let you know what I find. Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- stream4 oddity Frank Knobbe (Apr 23)
- Re: stream4 oddity Chris Green (Apr 24)
- Re: stream4 oddity Frank Knobbe (Apr 24)
- Re: stream4 oddity Chris Green (Apr 24)