Snort 2.0 rc1 Observations

["Kenneth G. Arnold" <bkarnold () cbu edu>]

I tried out Snort 2.0 rc1 yesterday on Solaris 9 and I noticed three
things.

1.  Sid 1955 in rpc.rules uses "to_sever" instead of "to_server" and the
new version of Snort didn't like it although version 1.9.1 seemed to
tolerate it.

2.  Sids 1250 and 1108 in web-misc.rules use "regex" and the new version
didn't seem to be able to handle that.  I had to comment out those two
rules in order to get Snort to start.

3.  Once I did get Snort to start, I noticed that a lot of the rules that
had pass rules for specific circumstances were starting to fire where they
did not in version 1.9.1. The database started to fill up very fast with
all of these situations where the pass rule should have prevented the
alert.  When I eventually stopped Snort, only 11 passes were recorded
where there should have been hundreds if not thousands.  The startup
script I used was the same startup script that I had used for version
1.9.1.

I immediately switched back to version 1.9.1.

Ken



-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users