Snort mailing list archives

Previous By Date Next
Previous By Thread Next

strange behavior in rule processing?

From: lpj0508 () netscape net
Date: Mon, 26 May 2003 22:17:26 -0400
hi,

i've been using snort 2.0 since it came out. i noticed 1 strange behavior though. my rule orders are set to 
pass->alert->log (using -o). when i need to disable a rule, i usually just copy and paste it in the pass rule with the 
pass directive, similar to below:

[root@xxxxx rules]# grep "WEB-MISC http directory traversal" *
pass.rules:pass tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC http directory traversal"; flags:A+; 
content: "../"; reference:arachnids,297; classtype:attempted-recon; sid:1113;  rev:4;)
pass.rules:pass tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC http directory traversal"; 
flow:to_server,established; content: "..\\";reference:arachnids,298; classtype:attempted-recon; sid:1112;  rev:4;)
web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC http directory traversal"; 
flow:to_server,established; content: "..\\";reference:arachnids,298; classtype:attempted-recon; sid:1112;  rev:4;)
web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC http directory traversal"; 
flow:to_server,established; content: "../"; reference:arachnids,297; classtype:attempted-recon; sid:1113;  rev:4;)

this has been working fine all along, and with such arrangement i do not get directory traversal alerts, but recently 
i've started to get the directory traversal alerts again, despite not having made any changes recently.

anyone able to shed some light on this behavior? thanks

lpj

__________________________________________________________________
McAfee VirusScan Online from the Netscape Network.
Comprehensive protection for your entire computer. Get your free trial today!
http://channels.netscape.com/ns/computing/mcafee/index.jsp?promo=393397

Get AOL Instant Messenger 5.1 free of charge.  Download Now!
http://aim.aol.com/aimnew/Aim/register.adp?promo=380455


-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: