[Snort-sigs] Crashing snort

Matthew Jonkman matt at ...2436...
Tue Jun 29 19:21:01 EDT 2004


Put these up but disabled them. They're causing snort to core, recent 
stable version.

alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any ( msg:"BLEEDING-EDGE P2P 
iroffer IRC Bot help message"; content:"|54 6F 20 72 65 71 75 65 73 74 
20 61 20 66 69 6C 65 20 74 79 70 65 3A 20 22 2F 6D 73 67|"; depth:500; 
flow:from_server,established classtype:trojan-activity; sid:2000338; rev:1;)

alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any ( msg:"BLEEDING-EDGE P2P 
iroffer IRC Bot offered files advertisement"; content:"|54 6F 74 61 6C 
20 4F 66 66 65 72 65 64 3A|"; depth:500; flow:from_server,established 
classtype:trojan-activity; sid:2000339; rev:1;)

Anyone see anything wrong there? Enableing either causes a core.

Matt
--




More information about the Snort-sigs mailing list