[Snort-sigs] Crashing snort

Matthew Jonkman matt at ...2436...
Tue Jun 29 20:23:29 EDT 2004


That was it. Thanks.

The little details on life are what always get you..

It's fixed and updated.

But why would that core snort rather than generating an error? Snort is
really good about catching and explaining unterminated options and such.

Matt

Joshua Berry wrote:

> The only thing that I notice is there is no semi-colon after the 
> flow:from_server,established on either rule.
> 
>     -----Original Message-----
>     *From:* snort-sigs-admin at lists.sourceforge.net on behalf of Matthew
>     Jonkman
>     *Sent:* Tue 6/29/2004 9:20 PM
>     *To:* snort-sigs mailinglist
>     *Cc:*
>     *Subject:* [Snort-sigs] Crashing snort
> 
>     Put these up but disabled them. They're causing snort to core, recent
>     stable version.
> 
>     alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any ( msg:"BLEEDING-EDGE P2P
>     iroffer IRC Bot help message"; content:"|54 6F 20 72 65 71 75 65 73 74
>     20 61 20 66 69 6C 65 20 74 79 70 65 3A 20 22 2F 6D 73 67|"; depth:500;
>     flow:from_server,established classtype:trojan-activity; sid:2000338;
>     rev:1;)
> 
>     alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any ( msg:"BLEEDING-EDGE P2P
>     iroffer IRC Bot offered files advertisement"; content:"|54 6F 74 61 6C
>     20 4F 66 66 65 72 65 64 3A|"; depth:500; flow:from_server,established
>     classtype:trojan-activity; sid:2000339; rev:1;)
> 
>     Anyone see anything wrong there? Enableing either causes a core.
> 
>     Matt
>     --
> 
> 
>     -------------------------------------------------------
>     This SF.Net email sponsored by Black Hat Briefings & Training.
>     Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
>     digital self defense, top technical experts, no vendor pitches,
>     unmatched networking opportunities. Visit www.blackhat.com
>     _______________________________________________
>     Snort-sigs mailing list
>     Snort-sigs at lists.sourceforge.net
>     https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> N?HS^?隊[)?{(??[?ZrAڴ?y???j)?





More information about the Snort-sigs mailing list