Snort mailing list archives

Repeating question re: problems with director operators.

From: Jesus Couto <jesus.couto () satec es>
Date: Tue, 05 Mar 2002 12:22:59 +0100

Hi,

I have not read any answer acknolwedging this problem.

To repeat, all testing I have done in snort-1.8.3 and the 1.8.4 betasshow the same behavior: if there is a rule defined withone operator, a rule that has the same networks and ports both to theleft and to the right of the operator but uses the operator on the otherdirection is ignored.


Example:

alert tcp [199.170.88.41,199.170.88.21,199.170.88.39] 80 ->213.164.32.133 any (msg:"http resp www.io.com";)alert tcp [199.170.88.41,199.170.88.21,199.170.88.39] 80 <-213.164.32.133 any (msg:"http req www.io.com";)


Never shows any alert for request traffic, and the inverse

alert tcp [199.170.88.41,199.170.88.21,199.170.88.39] 80 <-213.164.32.133 any (msg:"http req www.io.com";)alert tcp [199.170.88.41,199.170.88.21,199.170.88.39] 80 ->213.164.32.133 any (msg:"http resp www.io.com";)

Never shows any alarms with the answers from the website. Either rule,alone, works, and rewriting them to use the -> operator (switching theleft and right network and port definitions) works.

Also, it seems to be a problem with the content option in rules abouttcp traffic with the <- operator; for example:

alert tcp [199.170.88.41,199.170.88.21,199.170.88.39] 80 ->213.164.32.133 any (msg:"http resp www.io.com"; content: "I";)


generates alarms when brownsing www.io.com, but

alert tcp 213.164.32.133 any <-[199.170.88.41,199.170.88.21,199.170.88.39] 80 (msg:"http respwww.io.com"; content: "I";)

doesnt. Tried changing options and dissabling stream4 andstream4_reassemble without results.


Platform: snort-1.8.3 and all the .4 betas running on Linux 2.2.17 (Debian).

Can anybody else can repeat the test and confirm this?

Jesús Couto F.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Repeating question re: problems with director operators. Jesus Couto (Mar 05)
- Re: Repeating question re: problems with director operators. John Sage (Mar 05)
  - Re: Repeating question re: problems with director operators. Jesus Couto (Mar 05)
    - Re: Repeating question re: problems with director operators. Erek Adams (Mar 05)
    - Re: Repeating question re: problems with director operators. John Sage (Mar 05)
    - Re: Repeating question re: problems with director operators. Brian (Mar 07)
  - Trouble with updating rules skill2die4 (Mar 05)