Snort mailing list archives
Re: Rules: flags burp using 2.0.2?
From: JP Vossen <vossenjp () netaxs com>
Date: Tue, 23 Sep 2003 01:53:20 -0400 (EDT)
Date: Mon, 22 Sep 2003 11:16:52 -0700 From: John Sage <jsage () finchhaven com> To: Matt Kettler <mkettler () evi-inc com> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Rules: flags burp using 2.0.2? On Mon, Sep 22, 2003 at 11:36:36AM -0400, Matt Kettler wrote:At 08:31 PM 9/21/2003, John Sage wrote:Rather than picking up these, it drops through to the generic TCP:135 rule I've got, which confuses what I'm trying to do... Wha' happen' between 1.9.1 and here, flags-wise?That sounds more like a rule-ordering difference than anything else. Snort does not necessarily process rules in the same order that they appear in your rule files, although that is somewhat of a factor.
I have been struggling with the same issue since 1.9.1. It definitely CHANGED in 2.0 but just how I can't say. This is also a pretty low priority for me, so I've not spent much time on it. However, I did have some limited success as follows. I created various custom rule TYPES, with the same definition but different names. I then used the 'config order' directive to force rule order. This *almost* works--there are still some Weird Things that I have not tracked down yet. YMMV. <snort.conf stuff> # Custom rule to allow rule ordering so that rules trigger in the order needed. ruletype payload { type alert output database: alert, mysql, dbname=snort ... ignore_bpf=yes } # # Custom rule to allow rule ordering so that rules trigger in the order needed. ruletype handshake { type alert output database: alert, mysql, dbname=snort ... ignore_bpf=yes } [...] # Custom rule ordering so that rules trigger in the order needed. config order: alert log payload handshake catchall <snort.conf stuff> That config is OK for me because I have few "sets" of rules to order (it's a honeypot-kind-of-thing), but is not real scalable. It also doesn't quite work 100% but I don't remember how it's broken nor have I played since soon after 2.0.1 came out. I have NOT had time to test 2.0.2. It *almost, but not quite, worked for 2.0.0 and 2.0.1. I did not try this with 1.9.1. HTH, JP ------------------------------|:::======|-------------------------------- JP Vossen, CISSP |:::======| jp{at}jpsdomain{dot}org My Account, My Opinions |=========| http://www.jpsdomain.org/ ------------------------------|=========|-------------------------------- You used to have to reboot the Windows 9.x series every couple of days because it would crash. Now you have to reboot Windows 200x or XP every couple of days because of a patch. How is that better or more stable? ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rules: flags burp using 2.0.2? John Sage (Sep 21)
- Re: Rules: flags burp using 2.0.2? Matt Kettler (Sep 22)
- Re: Rules: flags burp using 2.0.2? John Sage (Sep 22)
- <Possible follow-ups>
- Re: Rules: flags burp using 2.0.2? JP Vossen (Sep 23)
- Re: Rules: flags burp using 2.0.2? Matt Kettler (Sep 22)