[Snort-devel] rules problem relating to offset?

Kreimendahl, Chad J Chad.Kreimendahl at ...1167...
Mon Mar 31 14:47:02 EST 2003


We have a tool that does an update anytime it sees you guys commit
rules, but the application of those to a policy is a manual process (for
what I hope are obvious reasons).  I used one of the default policies
(about a month old), on development, without merging the new changes in.

My bad.

-----Original Message-----
From: Brian [mailto:bmc at ...835...] 
Sent: Monday, March 31, 2003 4:29 PM
To: Kreimendahl, Chad J
Cc: snort-sigs at lists.sourceforge.net; snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] rules problem relating to offset?


On Mon, Mar 31, 2003 at 03:12:02PM -0600, Kreimendahl, Chad J wrote:
> FATAL ERROR: snort.conf (858): Unable to parse as offset value string
> 
> and... line 858 is:
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list overflow
> attempt"; flow:established,to_server; content:" LIST |22 22| {
> "; nocase; byte_test:5,>,256,string,dec,relative;
> reference:nessus,10374; reference:cve,CAN-2000-0284;
> classtype:misc-attack; sid:18
> 45; rev:6;)

When you upgrade snort, you should upgrade your ruleset.

This was corrected before 2.0.0 rc1 went out.

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list overflow
attempt"; flow:established,to_server; content:" LIST |22 22| {"; nocase;
byte_test:5,>,256,0,string,dec,relative; reference:nessus,10374;
reference:cve,CAN-2000-0284; classtype:misc-attack; sid:1845; rev:7;)

-brian




More information about the Snort-devel mailing list