Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort-users digest, Vol 1 #2825 - 12 msgs

From: "Pete Davis" <peted () springisd org>
Date: Sun, 23 Feb 2003 14:58:39 -0600
<< SNIP >>


I just upgraded from 1.8.3 to 1.9.0beta6.  I copied the pass rule from

1.8.3 to use with 1.9.x but they don't work anymore.  

What's the rule in question?

-steve

<< End SNIP >>

Here are the rules I am sure aren't working with 1.9 but worked with
1.8.3 (the others I'm not sure about so I'm not posting them).  I am
changing the IP's to protect the innocent ;) :

pass tcp 109.110.60.0/24 any -> 190.211.110.110 22 (msg:"SSH to Web
Filter";classtype:misc-activity; rev:1;)

pass tcp 10.1.96.0/19 1024: -> $EXTERNAL_NET 20:21 (msg:"outgoing ftp
from 10.1";classtype:misc-activity; rev:1;)

pass tcp 68.147.53.0/24 any -> 190.211.110.54 23 (msg:"Chris Pertran to
Random server";classtype:misc-activity; rev:1;)

When I go through the mysql database with ACID, I am getting records
that should be passing (like they did in 1.8.3).  I have 3x checked the
database to see if any of the IP's have changed but they are inside the
range to cause the 'pass' to occur.

I have checked to make sure it is pass first (in window and on CLI).  I
copied the file directly 'as is' from the original snort box with no
changes.  I also changed the destination hosts ip's to include /32 but
it didn't make a difference.

As best as I can find out, I should not have to make any changes to get
the old rules to work.

BTW, I am using the beta of 1.9 since the windows side of snort is
harder to get info about.  I found this version and it was not labeled
as beta.  Also, the version on the snort site doesn't indicate if it
supports MYSQL, which is a prerequisite for me.

Thanks for any and all help.

Pete


-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: