larosa, vjay wrote:
> Hello,
>
> I am running snort v 1.9.0 build 209 and I am having a problem with the
> ordering of some rules.
> I was under the assumption that this didn't matter anymore with snort 1.9.0.
> I have two rules,
>
>
> (trap-db is a custom ruletype I defined. Instead of using alert I use
> trap-db to send snmp traps for some events).
>
> trap-db udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP GET Admin.dll";
> content
> : "|0001|"; offset:0; depth:2; content:"admin.dll"; nocase;
> classtype:successful-admin; refe
> rence:url,www.cert.org/advisories/CA-2001-26.html; sid:1289; rev:2;)
>
> and
>
> alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Get"; content:"|00
> 01|"; offset:0; de
> pth:2; classtype:bad-unknown; sid:1444; rev:2;)
>
> For some reason the second rule gets triggered when I try a tftp session and
> do a get admin.dll,
> but if I say get passwd the correct passwd rule triggers.
>
> alert udp any any -> any 69 (msg:"TFTP GET passwd"; content: "|0001|";
> offset:0; depth:2; co
> ntent:"passwd"; nocase; classtype:successful-admin; sid:1443; rev:1;)
>
>
> Anybody have any clue what might be wrong? Thanks!

Do you have a "config order" line in your config file? By default,
Snort orders custom rule types after the default rule types. Try adding
this line to your snort.conf (after the declaration of the trab-db rule
type):

config order: trap-db alert pass log

-A

-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]