[Snort-sigs] New revs? of old sigs causing Snort to die

Jeff Dell jdell at ...178...
Mon Oct 22 09:31:53 EDT 2007

It sure would be nice to have a static name for downloading rulesets. If
people don't keep up with the new versions of Snort, they could have
problems like this when the ruleset has a name change.


-----Original Message-----
From: snort-sigs-bounces at lists.sourceforge.net
[mailto:snort-sigs-bounces at lists.sourceforge.net] On Behalf Of Nigel
Sent: Sunday, October 21, 2007 7:15 PM
To: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] New revs? of old sigs causing Snort to die

On 10/21/07 5:31 PM, "Paul Melson" <pmelson at ...2420...> wrote:

> Starting Friday I noticed the following problems with the following
> signatures.
> The following rules start with 'alert udp' and contain flow: statements.
> 634,635,636,637,2004
> I'm using Snort on RHEL4 and it's complaining and refusing to
> run until these rules are commented out.
> Also, the following rules are using a comma-delimited list of ports,
> which is causing Snort to barf:
> 12635,12642
> What's up?
> PaulM

Which ruleset are you using? If it is not the one intended for 2.7 then you
will have problems like that because those rules are intended for 2.8 and
higher, which are able to use flow with UDP rules and port lists.

Nigel Houghton
Office Linebacker

This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list