[Snort-sigs] big problems with 2.1 snapshot rules?

Eric Bowser ebowser at ...2597...
Tue Jun 29 07:41:04 EDT 2004


I've been running snort 2.1 for a while now, and recently updated my
rules.  Everything ran great with rules from sometime in the beginning
of May, however the latest rules cause some major weird problems.

For example, the rule for "MS-SQL worm propagation attempt" catches all
sorts of traffic that doesn't belong to it.  I was catching ICMP
traffic, PIM (protocol 103) traffic, socks scans, and a few others.  

I did a diff between the old & new sql.rules file, and they are exactly
the same.  Something else is going on, but it is beyond me.  This
stopped happening when I replaced my old rules directory.  It would
stand to reason that although the SQL rules are the same, it is
something in the latest rules snapshot causing this issue.

Any help in troubleshooting this would be very much appreciated.  Let me
know what additional information we need, I'll be glad to post it.

Thanks in advance (and many more thanks to follow...)

Eric J. Bowser 
330.658.9858 direct 
330.658.0123 fax 

I-TRAP Internet Security Services
888.658.TRAP toll-free
330.658.1040 local

"Quis Custodiet Ipsos Custodes?"

More information about the Snort-sigs mailing list