Snort mailing list archives
Re: Strange effect after installing 1.8.2 (1.8.1 did work)
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 05 Nov 2001 09:34:25 -0500
1) 'Something' does output Packet-Contents (but only contents, no header) on the 'terminal' snort ist started on! The old 1.8.1 did not show this behaviour. Is there an 'official change' in snort or a module which does define its output in a new way?
What command line are you using?
2) in the ddos-rules snort-1.8.2 complained about every rule, which had a 'msg'-field including a ':' in the quoted string like: redalert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00:DaemontoMaster(messagedetected)"; content:"l44";reference:arachnids,186; classtype:attempted-dos; sid:231; rev:1;) In the same file there is a *working* rule with '\:' instead of ':', so I changed ALL the rules that way, and it seems to work...
The rule parser was changed to adhere to the language spec and tell you when you did something wrong (like using a reserved char in the msg argument field). This behavior is correct. -Marty -- Martin Roesch - President, Sourcefire Inc. - (410)552-6999 roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Strange effect after installing 1.8.2 (1.8.1 did work) Chr. v. Stuckrad (Nov 05)
- Re: Strange effect after installing 1.8.2 (1.8.1 did work) Martin Roesch (Nov 05)