[Snort-sigs] Lost message and classification

Russell Fulton r.fulton at ...575...
Mon Jun 10 16:32:02 EDT 2002


 I recently changed the source IP header for the snmp rule below to

Here is the modified rule: 

var HOME_NET [,]

alert udp !$HOME_NET  any -> $HOME_NET 161 msg:"SNMP public access udp";
conten\t:"public"; classtype:attempted-recon;
reference:cve,CAN-2002-0013; sid:1411; r\ev:2; )

It now generates alerts like this:

[**] Snort Alert! [**]
06/10-22:10:14.860994 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x77 -> UDP TTL:125 TOS:0x0 ID:14176
IpLen:20 DgmLen:105
Len: 85

Mustn't forget the vital bit ;-)

rful011 at ...629...:/home/snort$ snort -V
Initializating Output Plugins!

-*> Snort! <*-
Version 1.9-dev (Build 126)

Any idea what is going on?  Should I report this as a bug?

Cheers and thanks, Russell.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

More information about the Snort-sigs mailing list