[Snort-devel] truncated message in alert

Russell Fulton r.fulton at ...1343...
Tue Apr 30 15:44:05 EDT 2002

This alert seems to have the message truncated, bug in handling the
escaped " ?


alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP \"MKD . \"
possible warez site"; flags:A+; flow:to_server; content:"MKD .";
no\case; depth: 5; classtype:misc-activity; sid:548; rev:3;)


[**] FTP  [**]
04/30-21:37:39.932877 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x46 -> TCP TTL:121 TOS:0x0 ID:804
IpLen:20 DgmLen:56 DF
***AP*** Seq: 0xEAC6156  Ack: 0x5F187284  Win: 0xF79E  TcpLen: 20
4D 4B 44 20 2E 6A 62 75 69 6C 64 65 72 34 0D 0A  MKD .jbuilder4..



rful011 at ...1348...:/home/snort$ snort -V
Initializating Output Plugins!

-*> Snort! <*-
Version 1.9-dev (Build 126)
By Martin Roesch (roesch at ...402..., www.snort.org)

running on linux x86:
rful011 at ...1348...:/home/snort$ uname -a
Linux ruru 2.4.16-itss1 #2 Fri Dec 21 23:13:25 NZDT 2001 i686 unknown

Ah... one other minor grumble ;-)  could you get rid of the
"UnifiedSetup" that is printed to stderr, I run snort hourly from cron
and redirect stdout to /dev/null but want stderr left so I get any
errors mailed.  Now I'm getting mail every hour...

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

More information about the Snort-devel mailing list