Snort mailing list archives

Re: Repeating question re: problems with director operators.

From: John Sage <jsage () finchhaven com>
Date: Tue, 5 Mar 2002 08:00:52 -0800

See: 

Chapter 2
Writing Snort Rules
How to Write Snort Rules and Keep Your Sanity

Under:

2.2.4  Port Numbers

"There is also a bidirectional operator, which
is indicated with a "<>" symbol."

Example:

log !192.168.1.0/24 any <> 192.168.1.0/24 23


Try that.

Also, a thought: if you're splitting rules onto multiple lines, as
you've always shown, each split line needs to end with a "\"


- John
-- 
Most people don't type their own logfiles;  but, what do I care?



On Tue, Mar 05, 2002 at 12:22:59PM +0100, Jesus Couto wrote:

Hi,

I have not read any answer acknolwedging this problem.

To repeat, all testing I have done in snort-1.8.3 and the 1.8.4 betas 
show the same behavior: if there is a rule defined with
one operator, a rule that has the same networks and ports both to the 
left and to the right of the operator but uses the operator on the other 
direction is ignored.

Example:

alert tcp [199.170.88.41,199.170.88.21,199.170.88.39] 80 -> 
213.164.32.133 any (msg:"http resp  www.io.com";)
alert tcp [199.170.88.41,199.170.88.21,199.170.88.39] 80 <- 
213.164.32.133 any (msg:"http req www.io.com";)

Never shows any alert for request traffic, and the inverse

alert tcp [199.170.88.41,199.170.88.21,199.170.88.39] 80 <- 
213.164.32.133 any (msg:"http req www.io.com";)
alert tcp [199.170.88.41,199.170.88.21,199.170.88.39] 80 -> 
213.164.32.133 any (msg:"http resp  www.io.com";)

Never shows any alarms with the answers from the website. Either rule, 
alone, works, and rewriting them to use the -> operator (switching the 
left and right network and port definitions) works.

Also, it seems to be a problem with the content option in rules about 
tcp traffic with the <- operator; for example:

alert tcp [199.170.88.41,199.170.88.21,199.170.88.39] 80 -> 
213.164.32.133 any (msg:"http resp  www.io.com"; content: "I";)

generates alarms when brownsing www.io.com, but

alert tcp 213.164.32.133 any <- 
[199.170.88.41,199.170.88.21,199.170.88.39] 80 (msg:"http resp  
www.io.com"; content: "I";)

doesnt. Tried changing options and dissabling stream4 and 
stream4_reassemble without results.

Platform: snort-1.8.3 and all the .4 betas running on Linux 2.2.17 (Debian).

Can anybody else can repeat the test and confirm this?

Jesús Couto F.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Repeating question re: problems with director operators. Jesus Couto (Mar 05)
- Re: Repeating question re: problems with director operators. John Sage (Mar 05)
  - Re: Repeating question re: problems with director operators. Jesus Couto (Mar 05)
    - Re: Repeating question re: problems with director operators. Erek Adams (Mar 05)
    - Re: Repeating question re: problems with director operators. John Sage (Mar 05)
    - Re: Repeating question re: problems with director operators. Brian (Mar 07)
  - Trouble with updating rules skill2die4 (Mar 05)