Snort mailing list archives
<-, -> doesnt work correctly if source and origin have a rule in the other direction.
From: Jesus Couto <jesus.couto () satec es>
Date: Thu, 28 Feb 2002 15:32:33 +0100
Hi,I have found that any rule with gets ignored if there is already a rule that has the same networks and ports on the left and right sides of the operator, but in the other sense.
For example, testing with this rule set:alert tcp any any -> [199.170.88.41,199.170.88.21,199.170.88.39] 80 (msg:"http req www.io.com";) alert tcp [199.170.88.41,199.170.88.21,199.170.88.39] 80 -> any any (msg:"http resp www.io.com";)
Captures all paquets from and to the www.io.com servers, but the set:alert tcp any any -> [199.170.88.41,199.170.88.21,199.170.88.39] 80 (msg:"http req www.io.com";) alert tcp any any <- [199.170.88.41,199.170.88.21,199.170.88.39] 80 (msg:"http resp www.io.com";)
Only capture the trafic to those servers, never the traffic coming from them.
Using only:alert tcp any any <- [199.170.88.41,199.170.88.21,199.170.88.39] 80 (msg:"http resp www.io.com";)
shows response traffic, so the operator is interpreted correctly, and inverting the order:
alert tcp any any <- [199.170.88.41,199.170.88.21,199.170.88.39] 80 (msg:"http resp www.io.com";) alert tcp any any -> [199.170.88.41,199.170.88.21,199.170.88.39] 80 (msg:"http req www.io.com";)
only captures responses. I'm using snort 1.8.3 and I have tested it with 1.8.4-b2 too. Thanks in advance, Jesús Couto F. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- <-, -> doesnt work correctly if source and origin have a rule in the other direction. Jesus Couto (Feb 28)