Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Possible bug in event queue processing - Would really appreciate some insight

From: Peter Politopoulos <ppolitop () gmail com>
Date: Sun, 15 May 2011 15:02:02 +0300

Greetings,
I would like to report a strange behavior which may or may not be a bug. What matters most at the moment for my snort 
development is whether this behavior is consistent or not.

Suppose we run Snort with only 2 rules:
              ------------
              stats icmp $HOME_NET any <> $EXTERNAL_NET any (msg:"ICMP"; sid:1000003; rev:1; priority:1;)
              stats ip $HOME_NET any <> $EXTERNAL_NET any (msg:"ALL"; sid:1000004; rev:1; priority:4;)
              ------------

where stats is defined as:
            ------------
             ruletype stats
            {
             type alert
             output alert_csv: stdout msg,dgmlen
             output log_null
            }
            ------------
...and event queue is configured like this:
             ------------
             config event_queue: log 1 order_events priority
             ------------
According to snort manual "priority - The highest priority (1 being the highest) events are ordered first."

Well, here is my surprise result - running a ping will produce only an "ALL" match alert.
If I give higher priority to "ALL" then it will always produce an "ICMP" match alert - i.e. snort produces 1 alert and 
this for the _lowest_ priority event match.

If I config the queue to log 2 then I get both alerts but again with inverted priority - ALL shows up first and ICMP 
shows second.
Is this a bug, expected behavior or an artifact? Most importantly is this consistent?

I am running Snort Version 2.8.5.2 (Build 121) on Debian.

Thank you for helping out!
Peter


------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Previous By Date Next
Previous By Thread Next

Current thread: