Re: Snort 1.9 vs 2.0

[Jens Krabbenhoeft <tschenz-snort-users () noris net>]

Hi Chris, hi list,

  first of all thanks to sourcefire for releasing their improvements to
the open-source community.

> The biggest end user change in this is that rule ordering matters a
> lot less than it used to. If you specify content options in a rule,
> multiple matches will alert on the longest singular content match.

Is it right, that the new matching "most exact -> less exact -> catch
all" will effect the pass rules as well? Because when using 2.0.0-Build1
with the ruleset for 1.9 I have following "problem":

pass tcp any any -> a.b.c.d 21
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp file
   completion attempt {"; flow:to_server,established; content:"~";
   content:"{"; reference: cve,CAN-2001-0886; reference:bugtraq,3581;
   classtype:misc-attack; sid:1378;  rev:7;)

That's from my ftp.rules (ignore the linefeeds on the second rule *g*),
and it works quite well for 1.9 (where it ignores any traffic to a.b.c.d
port 21) but it doesn't work with 2.0. My debug output shows, that
some of traffic to a.b.c.d gets caught by the pass-rule, other traffic
to a.b.c.d (which BTW is in $HOME_NET) gets caught by the alert rule
(although using -o).

Kind regards,

        Jens


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users