[Snort-sigs] bug? in VRT rule classtype:misc-activity; sid:525; rev:10; ) flow:to_server

Michael Scheidell scheidell at ...249...
Tue Apr 14 18:47:01 EDT 2009


Apr 14 18:21:59 scanner snort[57515]: FATAL ERROR: 
rules/bad-traffic.rules(28): Cannot check flow connection for non-TCP 
traffic

what am I missing?  there are lots of udp rules that have a flow.* 
signature.

(note, previously, I was downloading the snort 2.4.4 rules.  I don't 
remember problems with them.
now I am downloading this one since finally migrating everyone to snort 
2.8.2.
snortrules-snapshot-2.8_s.tar.gz

rule:(snapshot-2.8)

alert udp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC udp port 0
traffic"; flow:to_server; reference:bugtraq,576;
reference:cve,1999-0675; reference:nessus,10074;
classtype:misc-activity; sid:525; rev:10;)

rule: (snortrules-snapshot-2.4.tar.gz)

alert udp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC udp port 0
traffic"; reference:bugtraq,576; reference:cve,1999-0675;
reference:nessus,10074; classtype:misc-activity; sid:525; rev:9;)


snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.2.2 (Build 18)  FreeBSD
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2008 Sourcefire Inc., et al.
           Using PCRE version: 7.8 2008-09-05


system, freebsd 6.4, i386.

-- 
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
 > *| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best Anti-Spam Product 2008, Network Products Guide
    * King of Spam Filters, SC Magazine 2008


_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20090414/1379cc6e/attachment.html>


More information about the Snort-sigs mailing list