RE: Rule Order

["Ron Shuck" <rshuck () Buchanan com>]

That is what I saw in production, and in my testing. If I looked at the
packet dump, it should have triggered an L3 or Windows Ping, etc., but
instead only triggers the "undefined code". Changing the order back to
default will make the same configuration trigger correctly.

It's kind of like a Pink Elephant. I'm not glad it's there, but at least
someone else sees it.  ;-)

Ron Shuck, CISSP, GCIA - Managing Consultant
Buchanan Associates - A Technology Company in the People Business
http://www.buchanan.com
http://www.isc2.org
http://www.giac.org


-----Original Message-----
From: Allan Dover [mailto:allan () redwoods ca]
Sent: Friday, May 02, 2003 7:29 AM
To: Ron Shuck; snort-users () lists sourceforge net
Cc: snort-devel () lists sourceforge net
Subject: Re: [Snort-users] Rule Order


Hey Ron,

I am having the same problem as you.  As soon as I switched to pass alert
log, I am getting undefined icmp errors.  Interestingly enough these were
known icmp alerts L3retriever and so on.

I am still a piglet with snort ( dont like using newbie ) Anyone have any
other suggestions ?

Allan Dover
Systems Administrator


###################################################
This e-mail communication (including any or all attachments) is intended
only for the use of the person or entity to which it is addressed and may
contain confidential and/or privileged material. If you are not the
intended recipient of this e-mail, any use, review, retransmission,
distribution, dissemination, copying, printing, or other use of, or taking
of any action in reliance upon this e-mail, is strictly prohibited. If you
have received this e-mail in error, please contact the sender and delete
the original and any copy of this e-mail and any  printout thereof,
immediately. Your co-operation is appreciated.


----- Original Message -----
From: "Ron Shuck" <rshuck () Buchanan com>
To: <snort-users () lists sourceforge net>
Cc: <snort-devel () lists sourceforge net>
Sent: Thursday, May 01, 2003 3:33 PM
Subject: [Snort-users] Rule Order


> Hi,
>
> Has anyone else changed the rule order under 2.0?
>
> When I upgraded to 2.0, I started having problems with ICMP alerts
> when my rule order was set to 'pass alert log'. Actually, any setting
> other than default caused problems. ICMP alerts happen, they just skip
> the normal rule and trigger the "Undefined Code" rule.
>
> TIA,
>
> Ron Shuck, CISSP, GCIA - Managing Consultant
> Buchanan Associates - A Technology Company in the People Business
> http://www.buchanan.com http://www.isc2.org
> http://www.giac.org
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list

Attachment: smime.p7s
Description: