RE: stream4 oddity --- Update

[Frank Knobbe <FKnobbe () KnobbeITS com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris,

I just checked out fresh from CVS the SNORT_1_8 branch, and compiled
under Win32 (sorry, I didn't mention the platform before). As far as
the rule type is concerned, I haven't tested that yet.

However, as soon as I include the stream4 pre-prop, Snort
initializes, and then after about 15-20 secs just quits. It doesn't
crash, it just exists. Without stream4, it seems to run stable
(hasn't existed in the last 1.5 hours).

I'll check on the rule type this afternoon.

Regards,
Frank




> -----Original Message-----
> From: Frank Knobbe [mailto:fknobbe () knobbeits com]
> Sent: Wednesday, April 24, 2002 10:02 AM
> To: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] stream4 oddity
>
>
> On Wed, 2002-04-24 at 07:04, Chris Green wrote:
> > Ok need more specifics here on what traffic, what rule, and how
> > your rule type is defined.  Rule types are one of the edge cases
> > of snort that isn't tested very often and needs to be replaced
> > with a cleaner functionality
>
> Hi Chris,
>
> after reviewing the logs this morning, I'm not convinced that it is
> stream4 related. My IDS's doesn't alert at all anymore, 
> except for three
> custom rules [alert tcp $EXTERNAL_NET any -> $UNUSED any 
> (msg:"TCP Port
> Scan";)]. Maybe the problem is in the sid or classification files.
> I will reload the whole thing from scratch today and let you know
> what I find.
>
> The rule type defined was:
> ruletype block
> {
>    type alert
>    output alert_fwsam: xxx/xxx
> }
>
> I know it wasn't SnortSam since substituting this line with 'output
> alert_full: test.log' had the same results, and moving alert_fwsam
> out of the custom alert works too.
>
> I have a test rule defined as:
> alert icmp any any -> 1.2.3.4 any (msg:"Test Ping";fwsam: 
> dst, 5 secs;)
> that is working with alert, but not with block.
>
> Again, all Snort rules stopped working last night, except for some
> custom rules without sid's. I'll spend more time on it today 
> and let you
> know what I find.
>
> Regards,
> Frank

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME (X.509) encrypted email preferred.

iQA/AwUBPMbjb8zYtOFvgXQfEQJlewCghK79eYx6mwAKwcu0dDeGGBM3WckAoJD1
iRMjka3tTMw2mqG99sJmDz1X
=radX
-----END PGP SIGNATURE-----

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users