Snort mailing list archives
RE: Snort rules order.
From: "larosa, vjay" <larosa_vjay () emc com>
Date: Tue, 29 Oct 2002 15:38:54 -0500
My command line includes the -o switch so should I eliminate this and use this in my snort.conf instead? config order: pass trap-db alert log Thanks! vjl -----Original Message----- From: Andrew R. Baker [mailto:andrewb () snort org] Sent: Tuesday, October 29, 2002 3:34 PM To: larosa, vjay Cc: 'snort-users () lists sourceforge net' Subject: Re: [Snort-users] Snort rules order. larosa, vjay wrote:
Hello, I am running snort v 1.9.0 build 209 and I am having a problem with the ordering of some rules. I was under the assumption that this didn't matter anymore with snort
1.9.0.
I have two rules, (trap-db is a custom ruletype I defined. Instead of using alert I use trap-db to send snmp traps for some events). trap-db udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP GET Admin.dll"; content : "|0001|"; offset:0; depth:2; content:"admin.dll"; nocase; classtype:successful-admin; refe rence:url,www.cert.org/advisories/CA-2001-26.html; sid:1289; rev:2;) and alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Get"; content:"|00 01|"; offset:0; de pth:2; classtype:bad-unknown; sid:1444; rev:2;) For some reason the second rule gets triggered when I try a tftp session
and
do a get admin.dll, but if I say get passwd the correct passwd rule triggers. alert udp any any -> any 69 (msg:"TFTP GET passwd"; content: "|0001|"; offset:0; depth:2; co ntent:"passwd"; nocase; classtype:successful-admin; sid:1443; rev:1;) Anybody have any clue what might be wrong? Thanks!
Do you have a "config order" line in your config file? By default, Snort orders custom rule types after the default rule types. Try adding this line to your snort.conf (after the declaration of the trab-db rule type): config order: trap-db alert pass log -A ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort rules order. larosa, vjay (Oct 29)
- Re: Snort rules order. Andrew R. Baker (Oct 29)
- <Possible follow-ups>
- RE: Snort rules order. larosa, vjay (Oct 29)
- Re: Snort rules order. Andrew R. Baker (Oct 29)