Snort mailing list archives
Re: Snort 1.9 vs 2.0
From: Jens Krabbenhoeft <tschenz-snort-users () noris net>
Date: Mon, 14 Oct 2002 10:28:28 +0200
Hi Chris, hi list, first of all thanks to sourcefire for releasing their improvements to the open-source community.
The biggest end user change in this is that rule ordering matters a lot less than it used to. If you specify content options in a rule, multiple matches will alert on the longest singular content match.
Is it right, that the new matching "most exact -> less exact -> catch all" will effect the pass rules as well? Because when using 2.0.0-Build1 with the ruleset for 1.9 I have following "problem": pass tcp any any -> a.b.c.d 21 alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp file completion attempt {"; flow:to_server,established; content:"~"; content:"{"; reference: cve,CAN-2001-0886; reference:bugtraq,3581; classtype:misc-attack; sid:1378; rev:7;) That's from my ftp.rules (ignore the linefeeds on the second rule *g*), and it works quite well for 1.9 (where it ignores any traffic to a.b.c.d port 21) but it doesn't work with 2.0. My debug output shows, that some of traffic to a.b.c.d gets caught by the pass-rule, other traffic to a.b.c.d (which BTW is in $HOME_NET) gets caught by the alert rule (although using -o). Kind regards, Jens ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 1.9 vs 2.0 Hervé Debar (Oct 10)
- Re: Snort 1.9 vs 2.0 Chris Green (Oct 10)
- Re: Snort 1.9 vs 2.0 Andreas Hasenack (Oct 10)
- Re: Snort 1.9 vs 2.0 Martin Roesch (Oct 10)
- Re: Snort 1.9 vs 2.0 Hervé Debar (Oct 11)
- Re: Snort 1.9 vs 2.0 Martin Roesch (Oct 11)
- Re: Snort 1.9 vs 2.0 Chris Green (Oct 11)
- Re: Snort 1.9 vs 2.0 Jens Krabbenhoeft (Oct 14)
- Re: Snort 1.9 vs 2.0 Andreas Hasenack (Oct 10)
- Re: Snort 1.9 vs 2.0 Florin Andrei (Oct 11)
- Re: Snort 1.9 vs 2.0 Erek Adams (Oct 11)
- Re: Snort 1.9 vs 2.0 Chris Green (Oct 10)