Snort mailing list archives

Re: Possible bug in event queue processing - Would really appreciate some insight

From: Joel Esler <jesler () sourcefire com>
Date: Sun, 15 May 2011 08:38:20 -0400

Peter, thanks.

We had an internal bug on this and it's fixed in Snort 2.9.1.

However, you should not use such an old version of Snort (2.8.5.2), our current version is 2.9.0.5

J

On May 15, 2011, at 8:02 AM, Peter Politopoulos wrote:


Greetings,
I would like to report a strange behavior which may or may not be a bug. What matters most at the moment for my snort 
development is whether this behavior is consistent or not.

Suppose we run Snort with only 2 rules:
             ------------
             stats icmp $HOME_NET any <> $EXTERNAL_NET any (msg:"ICMP"; sid:1000003; rev:1; priority:1;)
             stats ip $HOME_NET any <> $EXTERNAL_NET any (msg:"ALL"; sid:1000004; rev:1; priority:4;)
             ------------

where stats is defined as:
           ------------
            ruletype stats
           {
            type alert
            output alert_csv: stdout msg,dgmlen
            output log_null
           }
           ------------
...and event queue is configured like this:
            ------------
            config event_queue: log 1 order_events priority
            ------------
According to snort manual "priority - The highest priority (1 being the highest) events are ordered first."

Well, here is my surprise result - running a ping will produce only an "ALL" match alert.
If I give higher priority to "ALL" then it will always produce an "ICMP" match alert - i.e. snort produces 1 alert 
and this for the _lowest_ priority event match.

If I config the queue to log 2 then I get both alerts but again with inverted priority - ALL shows up first and ICMP 
shows second.
Is this a bug, expected behavior or an artifact? Most importantly is this consistent?

I am running Snort Version 2.8.5.2 (Build 121) on Debian.

Thank you for helping out!
Peter


------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel



------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Current thread:

Possible bug in event queue processing - Would really appreciate some insight Peter Politopoulos (May 15)
- Re: Possible bug in event queue processing - Would really appreciate some insight Joel Esler (May 15)