Snort mailing list archives
Re: Snort-users digest, Vol 1 #2825 - 12 msgs
From: "Pete Davis" <peted () springisd org>
Date: Sun, 23 Feb 2003 14:58:39 -0600
<< SNIP >>
I just upgraded from 1.8.3 to 1.9.0beta6. I copied the pass rule from
1.8.3 to use with 1.9.x but they don't work anymore. What's the rule in question? -steve << End SNIP >> Here are the rules I am sure aren't working with 1.9 but worked with 1.8.3 (the others I'm not sure about so I'm not posting them). I am changing the IP's to protect the innocent ;) : pass tcp 109.110.60.0/24 any -> 190.211.110.110 22 (msg:"SSH to Web Filter";classtype:misc-activity; rev:1;) pass tcp 10.1.96.0/19 1024: -> $EXTERNAL_NET 20:21 (msg:"outgoing ftp from 10.1";classtype:misc-activity; rev:1;) pass tcp 68.147.53.0/24 any -> 190.211.110.54 23 (msg:"Chris Pertran to Random server";classtype:misc-activity; rev:1;) When I go through the mysql database with ACID, I am getting records that should be passing (like they did in 1.8.3). I have 3x checked the database to see if any of the IP's have changed but they are inside the range to cause the 'pass' to occur. I have checked to make sure it is pass first (in window and on CLI). I copied the file directly 'as is' from the original snort box with no changes. I also changed the destination hosts ip's to include /32 but it didn't make a difference. As best as I can find out, I should not have to make any changes to get the old rules to work. BTW, I am using the beta of 1.9 since the windows side of snort is harder to get info about. I found this version and it was not labeled as beta. Also, the version on the snort site doesn't indicate if it supports MYSQL, which is a prerequisite for me. Thanks for any and all help. Pete ------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort-users digest, Vol 1 #2825 - 12 msgs Pete Davis (Feb 23)