Snort mailing list archives
Re: Questions after 1.9.1 install
From: Alberto Gonzalez <albertg () wwjh net>
Date: Sat, 15 Mar 2003 15:34:38 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
But was that the *only* rule in your local.rules?
Yes it was, since that was the rule you were having problems with.
It's not so much that the rule doesn't work, it's that it doesn't fire while a more generic rules does, even when the specific rule is *before* the generic one (to address Erek's question..) thus: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg: "TCP inbound to 445 Win2k SMB"; ) comes before the generic: alert tcp $EXTERNAL_NET 1025:4320 -> $HOME_NET any (msg:"TCP inbound \ from range 1025-4320";)
gimme a few seconds, I just woke up.. I will drop you a line once/if I confirm it...... damn job turned me into a vampire.
Does -o also re-order rules within the class "alert" in addition to re-ordeging the general classes?
- -o changes the rule ordering to Pass, Alert, and Log. From the default Alert, Pass, and Log.
I hadn't thought so.. - John
Cheers, Alberto Gonzalez - -- "Success comes to the person who does today, what you are thinking of doing tomorrow." -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+c45la3vAB/3yp/IRAn/OAKDUNhKw03Av524LHni46Np3y4E+fACg0ziu f2W+Qw+0hSIS/pFrs2qrT3g= =6w7Q -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Questions after 1.9.1 install John Sage (Mar 14)
- Re: Questions after 1.9.1 install Alberto Gonzalez (Mar 14)
- Re: Questions after 1.9.1 install John Sage (Mar 15)
- Re: Questions after 1.9.1 install Alberto Gonzalez (Mar 15)
- Re: Questions after 1.9.1 install John Sage (Mar 15)
- Re: Questions after 1.9.1 install Erek Adams (Mar 15)
- Re: Questions after 1.9.1 install John Sage (Mar 15)
- Re: Questions after 1.9.1 install Erek Adams (Mar 15)
- Re: Questions after 1.9.1 install John Sage (Mar 15)
- Re: Questions after 1.9.1 install Chris Green (Mar 21)
- Re: Questions after 1.9.1 install Alberto Gonzalez (Mar 14)