Snort mailing list archives
RE: stream4 oddity --- Update
From: Frank Knobbe <FKnobbe () KnobbeITS com>
Date: Wed, 24 Apr 2002 11:55:11 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris, I just checked out fresh from CVS the SNORT_1_8 branch, and compiled under Win32 (sorry, I didn't mention the platform before). As far as the rule type is concerned, I haven't tested that yet. However, as soon as I include the stream4 pre-prop, Snort initializes, and then after about 15-20 secs just quits. It doesn't crash, it just exists. Without stream4, it seems to run stable (hasn't existed in the last 1.5 hours). I'll check on the rule type this afternoon. Regards, Frank
-----Original Message----- From: Frank Knobbe [mailto:fknobbe () knobbeits com] Sent: Wednesday, April 24, 2002 10:02 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] stream4 oddity On Wed, 2002-04-24 at 07:04, Chris Green wrote:Ok need more specifics here on what traffic, what rule, and how your rule type is defined. Rule types are one of the edge cases of snort that isn't tested very often and needs to be replaced with a cleaner functionalityHi Chris, after reviewing the logs this morning, I'm not convinced that it is stream4 related. My IDS's doesn't alert at all anymore, except for three custom rules [alert tcp $EXTERNAL_NET any -> $UNUSED any (msg:"TCP Port Scan";)]. Maybe the problem is in the sid or classification files. I will reload the whole thing from scratch today and let you know what I find. The rule type defined was: ruletype block { type alert output alert_fwsam: xxx/xxx } I know it wasn't SnortSam since substituting this line with 'output alert_full: test.log' had the same results, and moving alert_fwsam out of the custom alert works too. I have a test rule defined as: alert icmp any any -> 1.2.3.4 any (msg:"Test Ping";fwsam: dst, 5 secs;) that is working with alert, but not with block. Again, all Snort rules stopped working last night, except for some custom rules without sid's. I'll spend more time on it today and let you know what I find. Regards, Frank
-----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 Comment: PGP or S/MIME (X.509) encrypted email preferred. iQA/AwUBPMbjb8zYtOFvgXQfEQJlewCghK79eYx6mwAKwcu0dDeGGBM3WckAoJD1 iRMjka3tTMw2mqG99sJmDz1X =radX -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: stream4 oddity --- Update Frank Knobbe (Apr 24)
- Re: stream4 oddity --- Update Chris Green (Apr 24)