Bug #976
closed
ip_rep supplying different no of alerts for 2 different but semantically similar rules
Added by Anoop Saldanha about 11 years ago.
Updated about 11 years ago.
Description
src,>,0
src,<,127
When tested on etpro's ip_rep data, gives different no of alerts, while they should be the same.
- Status changed from New to Assigned
Found a bug, not sure if it is the issue, but definitely something.
Rule-Set 1:
alert ip any any -> any any (iprep:src,[category],>,0; sid:1;)
Rule-Set 2:
alert ip any any -> any any (iprep:src,[category],<,127; sid:1;)
Fill category with all the available categories. Should give you 31 rules for each of the above sets.
Let me know if you need the exact ruleset I tested with.
Looks like it has not solved the issue.
Sharing the rules privately.
Looks like the rules specified by me were < 127, but there were ips whose value was set at 127, which essentially meant we were not matching on these ips.
Also, < 127 would mean match the entire range, which we can specify using > 0(which is the alternate ruleset against which I was testing < 127 against).
Closing bug, since this is a non-issue.
- Status changed from Assigned to Closed
Also available in: Atom
PDF