Hosting Provided By

[Snort-devel] bug with 'tag' on OpenBSD 3.3+

From: Jon Hart <warchild(at)spoofed.org>
Date: Fri Aug 29 2003 - 13:06:11 EDT

Greetings,

I had been using Snort rules with Snort 1.9.x without any problems. Just the other day I attempted to modify a local rule to make use of tagging only to find that it wasn't working:

alert tcp $HOME_NET !22 -> $EXTERNAL_NET any (msg:"SSH on non-standard port"; flow:from_server,established; content:"SSH-"; depth:4; dsize:<50; classtype:bad-unknown; sid:100003; tag:session,5,packets;)

As I understand it, this rule, after the initial alert, should also alert on the next 5 packets in the session. For what its worth, this rule without the 'tag' keyword works just fine.

Whats happening is, regardless of what options I use for 'tag', it only ever logs the first packet that triggers this rule. I've tried numerous options for tag, including:

host,5,packets,src
host,5,packets,dst
session,5,seconds

and none of those seem to work. I tried this on another OpeBSD 3.3 box on a different network and get the same results. However, I tried this on a debian testing/unstable box with snort 2.0.1 built from source and the 'tag' keyword works as expected.

As required from $src/doc/BUGS:

Do you need help?

OpenBSD 3.3 running on an x86 box with Snort 2.0.1 compiled from source.

The following preprocessors are on:

preprocessor frag2: memcap 12582912
preprocessor stream4: detect_scans, disable_evasion_alerts preprocessor stream4_reassemble
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor conversation: allowed_ip_protocols 1 6 17 47 50 89 103, timeout 180, max_conversations 65535, alert_odd_protocols

All default rules minus about 25 with high false positives or that are just bogus stuff that we don't care about are on. Additionally, there are 10 or so custom rules.

Only the mysql output plugin is enabled.

Snort is running with the following command line switches:

"-i $interface -NCDdIey -c $pathtoconfigfile -g snort -u snort"

I've turned on various levels of debugging, but nothing catches my eye.

Do you need more help?

Thanks,

-jon

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Fri Aug 29 13:19:22 2003

This message: [ Message body ]
Next message: Chris Green: "Re: [Snort-devel] bug with 'tag' on OpenBSD 3.3+"
Previous message: Gordon Cunningham: "RE: [Snort-users] Re: [Snort-devel] IDS vs IPS"
Next in thread: Chris Green: "Re: [Snort-devel] bug with 'tag' on OpenBSD 3.3+"
Reply: Chris Green: "Re: [Snort-devel] bug with 'tag' on OpenBSD 3.3+"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:09 EDT