[Snort-sigs] Lost message and classification

Martin Roesch roesch at ...435...
Mon Jun 10 18:34:02 EDT 2002


Is that really the rule?  If it is, it's so wrong that I'm surprised Snort
will even startup without throwing an error...

     -Marty

On 6/10/02 7:29 PM, "Russell Fulton" <r.fulton at ...575...> wrote:

> HI,
> 
> I recently changed the source IP header for the snmp rule below to
> !$HOME_NET from $EXTERNAL_NET.
> 
> Here is the modified rule:
> 
> var HOME_NET [130.216.0.0/16,202.37.88.0/24]
> var EXTERNAL_NET any
> 
> alert udp !$HOME_NET  any -> $HOME_NET 161 msg:"SNMP public access udp";
> conten\t:"public"; classtype:attempted-recon;
> reference:cve,CAN-2002-0013; sid:1411; r\ev:2; )
> 
> It now generates alerts like this:
> 
> [**] Snort Alert! [**]
> 06/10-22:10:14.860994 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
> len:0x77
> 203.167.149.169:1028 -> 130.216.208.229:161 UDP TTL:125 TOS:0x0 ID:14176
> IpLen:20 DgmLen:105
> Len: 85
> 
> Mustn't forget the vital bit ;-)
> 
> rful011 at ...629...:/home/snort$ snort -V
> Initializating Output Plugins!
> UnifiedSetup
> 
> -*> Snort! <*-
> Version 1.9-dev (Build 126)
> 
> Any idea what is going on?  Should I report this as a bug?
> 
> Cheers and thanks, Russell.

-- 
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...435... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-sigs mailing list