Snort mailing list archives

Previous By Date Next
Previous By Thread Next

strange rule problem

From: Yonah Russ <yonah () jct ac il>
Date: 09 Mar 2003 15:58:18 +0200
Hi,

 I've been expirimenting with the ruletype directives and I'm having a
strange problem.

I'm running snort 1.9.1
here is the ruletype definition:

ruletype note
{
  type alert
  output alert_CSV: /somewhere/messages timestamp,msg,src,srcport,dst,dstport,ethsrc,ethdst
}

I'm using the rule order as follows:

config order: pass note alert log

here is my command line:

snort -U -i $INTERFACE -d -D -c /somewhere/snort.conf

here are two test rules:

note tcp any any -> any any (msg:"If this does not work what will"; classtype:attempted-recon; sid:1000000; rev:1;)
note udp 123.123.123.123/32 any -> any 161 (msg:"This should work"; classtype:not-suspicious; sid:1000001; rev:1;)


here are the problems/symptoms:
1)the first rule always logs to the file when its enabled but the second
rule won't.
2)when I change the second rule's action to pass, it passes the packets
like it should.

any ideas?
 thanks
yonah

-- 
Yonah Russ <yonah () jct ac il>
Jerusalem College of Technology



-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: