[Snort-sigs] Lost message and classification

Russell Fulton r.fulton at ...575...
Mon Jun 10 16:32:02 EDT 2002


HI,

 I recently changed the source IP header for the snmp rule below to
!$HOME_NET from $EXTERNAL_NET.

Here is the modified rule: 

var HOME_NET [130.216.0.0/16,202.37.88.0/24]
var EXTERNAL_NET any

alert udp !$HOME_NET  any -> $HOME_NET 161 msg:"SNMP public access udp";
conten\t:"public"; classtype:attempted-recon;
reference:cve,CAN-2002-0013; sid:1411; r\ev:2; )

It now generates alerts like this:

[**] Snort Alert! [**]
06/10-22:10:14.860994 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x77
203.167.149.169:1028 -> 130.216.208.229:161 UDP TTL:125 TOS:0x0 ID:14176
IpLen:20 DgmLen:105
Len: 85

Mustn't forget the vital bit ;-)

rful011 at ...629...:/home/snort$ snort -V
Initializating Output Plugins!
UnifiedSetup

-*> Snort! <*-
Version 1.9-dev (Build 126)

Any idea what is going on?  Should I report this as a bug?

Cheers and thanks, Russell.

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand





More information about the Snort-sigs mailing list