Snort mailing list archives
RE: Rule Order
From: "Ron Shuck" <rshuck () Buchanan com>
Date: Fri, 2 May 2003 07:33:03 -0500
That is what I saw in production, and in my testing. If I looked at the packet dump, it should have triggered an L3 or Windows Ping, etc., but instead only triggers the "undefined code". Changing the order back to default will make the same configuration trigger correctly. It's kind of like a Pink Elephant. I'm not glad it's there, but at least someone else sees it. ;-) Ron Shuck, CISSP, GCIA - Managing Consultant Buchanan Associates - A Technology Company in the People Business http://www.buchanan.com http://www.isc2.org http://www.giac.org -----Original Message----- From: Allan Dover [mailto:allan () redwoods ca] Sent: Friday, May 02, 2003 7:29 AM To: Ron Shuck; snort-users () lists sourceforge net Cc: snort-devel () lists sourceforge net Subject: Re: [Snort-users] Rule Order Hey Ron, I am having the same problem as you. As soon as I switched to pass alert log, I am getting undefined icmp errors. Interestingly enough these were known icmp alerts L3retriever and so on. I am still a piglet with snort ( dont like using newbie ) Anyone have any other suggestions ? Allan Dover Systems Administrator ################################################### This e-mail communication (including any or all attachments) is intended only for the use of the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the intended recipient of this e-mail, any use, review, retransmission, distribution, dissemination, copying, printing, or other use of, or taking of any action in reliance upon this e-mail, is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the original and any copy of this e-mail and any printout thereof, immediately. Your co-operation is appreciated. ----- Original Message ----- From: "Ron Shuck" <rshuck () Buchanan com> To: <snort-users () lists sourceforge net> Cc: <snort-devel () lists sourceforge net> Sent: Thursday, May 01, 2003 3:33 PM Subject: [Snort-users] Rule Order
Hi, Has anyone else changed the rule order under 2.0? When I upgraded to 2.0, I started having problems with ICMP alerts when my rule order was set to 'pass alert log'. Actually, any setting other than default caused problems. ICMP alerts happen, they just skip the normal rule and trigger the "Undefined Code" rule. TIA, Ron Shuck, CISSP, GCIA - Managing Consultant Buchanan Associates - A Technology Company in the People Business http://www.buchanan.com http://www.isc2.org http://www.giac.org ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
Attachment:
smime.p7s
Description:
Current thread:
- Rule Order Ron Shuck (May 01)
- Re: Rule Order Allan Dover (May 02)
- <Possible follow-ups>
- RE: Rule Order Ron Shuck (May 02)