Snort mailing list archives
Re: Rules: flags burp using 2.0.2?
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 22 Sep 2003 11:36:36 -0400
At 08:31 PM 9/21/2003, John Sage wrote:
Rather than picking up these, it drops through to the generic TCP:135 rule I've got, which confuses what I'm trying to do... Wha' happen' between 1.9.1 and here, flags-wise?
That sounds more like a rule-ordering difference than anything else. Snort does not necessarily process rules in the same order that they appear in your rule files, although that is somewhat of a factor.
Now, I do recall someone claiming that 2.x was going to change rule processing so that every rule that matched a given packet would fire. This would lead to a single packet triggering both of your rules. However, I don't know if this made it into the final 2.x, and the behavior you are seeing would seem to indicate that it did not.
You might try disabling your generic rule, and see if the flag ones start firing off. If the do, it's probably a rule order thing.
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rules: flags burp using 2.0.2? John Sage (Sep 21)
- Re: Rules: flags burp using 2.0.2? Matt Kettler (Sep 22)
- Re: Rules: flags burp using 2.0.2? John Sage (Sep 22)
- <Possible follow-ups>
- Re: Rules: flags burp using 2.0.2? JP Vossen (Sep 23)
- Re: Rules: flags burp using 2.0.2? Matt Kettler (Sep 22)