Project

General

Profile

Actions

Bug #204

closed

Alert requiring flowbit to be set not firing.

Added by Jason Ish over 13 years ago. Updated over 13 years ago.

Status:
Closed
Priority:
High
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Using VRT registered rules for Snort 2.8.5.3.

Sid 16435 in policy.rules requires the flowbit in sid 16425 (web-client.rules) to be set before it will alert. In the default suricata.yaml, policy.rules is loaded before web-client.rules and sid 16435 does not alert. Sid 16435 will alert if web-client.rules is listed before policy.rules in the configuration file.

Actions #1

Updated by Victor Julien over 13 years ago

  • Due date set to 07/09/2010
  • Status changed from New to Assigned
  • Assignee set to Anoop Saldanha
  • Target version set to 1.0.1
  • Estimated time set to 3.00 h

Shouldn't the sigordering make sure a sig that sets a flowbit is before one that needs it to be set?

Actions #2

Updated by Victor Julien over 13 years ago

  • Due date changed from 07/09/2010 to 07/23/2010
  • Assignee changed from Anoop Saldanha to Pablo Rincon
  • Priority changed from Normal to High
Actions #3

Updated by Victor Julien over 13 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

Patch applied, thanks Pablo. Commit 0c3906a99b02fe86faa4f3af72562321945180b2

Actions

Also available in: Atom PDF