[Snort-sigs] New revs? of old sigs causing Snort to die

Nigel Houghton nigel at ...435...
Sun Oct 21 19:14:40 EDT 2007


On 10/21/07 5:31 PM, "Paul Melson" <pmelson at ...2420...> wrote:

> Starting Friday I noticed the following problems with the following
> signatures.
> 
> The following rules start with 'alert udp' and contain flow: statements.
> 
> 634,635,636,637,2004
> 
> I'm using Snort 2.7.0.1 on RHEL4 and it's complaining and refusing to
> run until these rules are commented out.
> 
> Also, the following rules are using a comma-delimited list of ports,
> which is causing Snort to barf:
> 
> 12635,12642
> 
> What's up?
> 
> PaulM

Which ruleset are you using? If it is not the one intended for 2.7 then you
will have problems like that because those rules are intended for 2.8 and
higher, which are able to use flow with UDP rules and port lists.

-- 
Nigel Houghton
Office Linebacker
SF VRT





More information about the Snort-sigs mailing list