Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Snort-sigs] RE: Ignoring Win32 SNMP printer checks

From: Nerijus Krukauskas <nk99 () delfi lt>
Date: Tue, 25 May 2004 09:04:23 +0300
OK, I found, but this is very weird. Although I already noticed similar snort behavior. Sometimes it doesn't like the spaces in config/rules. Some time ago, few of my custom rules didn't work just because there was (e.g.) 'content: "<something>"', instead of 'content:"<something>"'. This time it happened to subnet list in HOME_NET. It was defined like 'HOME_NET [<subnet>, <subnet>]'. Right after I removed the space after the comma, the rule started to apply. 
  Anyway, the rule now works as expected.

nnposter wrote:

Does it alert consistently on the captured packet when replayed?
Does it alert on the "good" sensor when replayed?


From: "Nerijus Krukauskas" <nk99 () delfi lt>
Yup. HOME_NET is defined with subnets, where both addresses (from the sample below) falls within. The strange thing is that another sensor in another segment is behaving like expected. Although the config between them differs only in sensor_name in db output. The trouble is caused just in one IP subnet. Seems like I have overlooked something very small, yet not so obvious... If I'm gonna find this, I will post the results. 

nnposter () users sourceforge net wrote:
I do not see an obvious explanation. Have you also checked that the IP addresses fall the rule scope? 


--
NK @ Vilnius
nk.tinkle.lt
It shall be unlawful for any suspicious person to be within the municipality. -- Local ordinance, Euclid Ohio 


-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: