<-, -> doesnt work correctly if source and origin have a rule in the other direction.

[Jesus Couto <jesus.couto () satec es>]

Hi,

I have found that any rule with gets ignored if there is already a rule 
that has the same networks and ports on the left and right sides of the 
operator, but in the other sense.

For example, testing with this rule set:

alert tcp any any -> [199.170.88.41,199.170.88.21,199.170.88.39] 80 
(msg:"http req www.io.com";)
alert tcp [199.170.88.41,199.170.88.21,199.170.88.39] 80 -> any any 
(msg:"http resp  www.io.com";)

Captures all paquets from and to the www.io.com servers, but the set:

alert tcp any any -> [199.170.88.41,199.170.88.21,199.170.88.39] 80 
(msg:"http req www.io.com";)
alert tcp any any <- [199.170.88.41,199.170.88.21,199.170.88.39] 80  
(msg:"http resp  www.io.com";)

Only capture the trafic to those servers, never the traffic coming from 
them.

Using only:

alert tcp any any <- [199.170.88.41,199.170.88.21,199.170.88.39] 80  
(msg:"http resp  www.io.com";)

shows response traffic, so the operator is interpreted correctly, and 
inverting the order:

alert tcp any any <- [199.170.88.41,199.170.88.21,199.170.88.39] 80  
(msg:"http resp  www.io.com";)
alert tcp any any -> [199.170.88.41,199.170.88.21,199.170.88.39] 80 
(msg:"http req www.io.com";)

only captures responses.

I'm using snort 1.8.3 and I have tested it with 1.8.4-b2 too.

Thanks in advance,

Jesús Couto F.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users