Re: Differences Between Versions

[Martin Olsson <elof () sentor se>]

On Fri, 16 Jan 2004, Michael Thompson wrote:
>   On one box I have snort 2.00 and on another I have Snort 2.1.0
>
>   My question is that the Snort 2.00 appears to miss certain events,
>   while snort 2.1 picks them up.
>   Does any one know if there are any know logging problems with the 2.0
>   version?

Yes, there was a bug in the wu-manber (mwm) pattern matcher in snort
2.0.x. When I changed the search-method to ac, the snort started alerting
on rules that had been quiet using the mwm method.

Two of the rules that didn't work with mwm was:

sid:1561 WEB-MISC ?open access
sid:1117 WEB-MISC Lotus EditDoc

Both of these rules use the uricontent with a leading questionmark.

uricontent:"?open";
uricontent:"?EditDocument";


This bug in mwm should have been fixed in snort 2.1.0.

/Martin



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users