Re: stream4 oddity

[Frank Knobbe <fknobbe () knobbeits com>]

On Wed, 2002-04-24 at 07:04, Chris Green wrote:
> Ok need more specifics here on what traffic, what rule, and how your
> rule type is defined.  Rule types are one of the edge cases of snort
> that isn't tested very often and needs to be replaced with a cleaner
> functionality

Hi Chris,

after reviewing the logs this morning, I'm not convinced that it is
stream4 related. My IDS's doesn't alert at all anymore, except for three
custom rules [alert tcp $EXTERNAL_NET any -> $UNUSED any (msg:"TCP Port
Scan";)]. Maybe the problem is in the sid or classification files. I
will reload the whole thing from scratch today and let you know what I
find.

The rule type defined was:
ruletype block
{
   type alert
   output alert_fwsam: xxx/xxx
}

I know it wasn't SnortSam since substituting this line with 'output
alert_full: test.log' had the same results, and moving alert_fwsam out
of the custom alert works too.

I have a test rule defined as:
alert icmp any any -> 1.2.3.4 any (msg:"Test Ping";fwsam: dst, 5 secs;)
that is working with alert, but not with block.

Again, all Snort rules stopped working last night, except for some
custom rules without sid's. I'll spend more time on it today and let you
know what I find.

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part