Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rules: flags burp using 2.0.2?

From: John Sage <jsage () finchhaven com>
Date: Mon, 22 Sep 2003 11:16:52 -0700
Matt:

On Mon, Sep 22, 2003 at 11:36:36AM -0400, Matt Kettler wrote:

tatus: RO
Content-Length: 1352
Lines: 34

At 08:31 PM 9/21/2003, John Sage wrote:

Rather than picking up these, it drops through to the generic TCP:135
rule I've got, which confuses what I'm trying to do...

Wha' happen' between 1.9.1 and here, flags-wise?


That sounds more like a rule-ordering difference than anything else. Snort 
does not necessarily process rules in the same order that they appear in 
your rule files, although that is somewhat of a factor.


Rule-ordering..

That brings back a faint memory from about 1.8.7 or so, methinks..


Now, I do recall someone claiming that 2.x was going to change rule 
processing so that every rule that matched a given packet would fire. This 
would lead to a single packet triggering both of your rules. However, I 
don't know if this made it into the final 2.x, and the behavior you are 
seeing would seem to indicate that it did not.


You might try disabling your generic rule, and see if the flag ones start 
firing off. If the do, it's probably a rule order thing.


I'll try this (in fact it's live, right now...) and see what happens.

Thanks.. (BTW: still dunno about that blocking deal...)


- John
-- 
"Warning: time of day goes back, taking countermeasures."
John Sage
InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this message is privileged communication. If you read it
even though you aren't supposed to, you're a poopy-head.


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: