[Snort-sigs] bug? in VRT rule classtype:misc-activity; sid:525; rev:10; ) flow:to_server

Joel Esler eslerj at ...2420...
Tue Apr 14 19:13:22 EDT 2009


Can you move to 2.8.4?  That version uses Stream5 by default.
J

On Tue, Apr 14, 2009 at 6:47 PM, Michael Scheidell <scheidell at ...249...>wrote:

>  Apr 14 18:21:59 scanner snort[57515]: FATAL ERROR:
> rules/bad-traffic.rules(28): Cannot check flow connection for non-TCP
> traffic
>
> what am I missing?  there are lots of udp rules that have a flow.*
> signature.
>
> (note, previously, I was downloading the snort 2.4.4 rules.  I don't
> remember problems with them.
> now I am downloading this one since finally migrating everyone to snort
> 2.8.2.
> snortrules-snapshot-2.8_s.tar.gz
>
> rule:(snapshot-2.8)
>
> alert udp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC udp port 0
> traffic"; flow:to_server; reference:bugtraq,576;
> reference:cve,1999-0675; reference:nessus,10074;
> classtype:misc-activity; sid:525; rev:10;)
>
> rule: (snortrules-snapshot-2.4.tar.gz)
>
> alert udp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC udp port 0
> traffic"; reference:bugtraq,576; reference:cve,1999-0675;
> reference:nessus,10074; classtype:misc-activity; sid:525; rev:9;)
>
>
> snort -V
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.8.2.2 (Build 18)  FreeBSD
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/team.html
>            (C) Copyright 1998-2008 Sourcefire Inc., et al.
>            Using PCRE version: 7.8 2008-09-05
>
>
> system, freebsd 6.4, i386.
>
> --
> Michael Scheidell, CTO
> Phone: 561-999-5000, x 1259
> > *| *SECNAP Network Security Corporation
>
>    - Certified SNORT Integrator
>    - 2008-9 Hot Company Award Winner, World Executive Alliance
>    - Five-Star Partner Program 2009, VARBusiness
>    - Best Anti-Spam Product 2008, Network Products Guide
>    - King of Spam Filters, SC Magazine 2008
>
>
> ------------------------------
>
> This email has been scanned and certified safe by SpammerTrap®.
> For Information please see www.secnap.com/products/spammertrap/
> ------------------------------
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> High Quality Requirements in a Collaborative Environment.
> Download a free trial of Rational Requirements Composer Now!
> http://p.sf.net/sfu/www-ibm-com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>


-- 
joel esler | Sourcefire | gtalk: jesler at ...435... | 302-223-5974
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20090414/97f9b2a8/attachment.html>


More information about the Snort-sigs mailing list