[Snort-users] Errors in vision.conf

Jan Muenther jan at ...206...
Mon Nov 13 12:10:59 EST 2000


Hi,

> alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS436/shellcode-x86-setuid0-udp"; flags: AP; content: "|b017 cd80|";)
> alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS437/shellcode-x86-setgid0-udp"; flags: AP; content: "|b0b5 cd80|";)

> Anyone know what is causing this?

Well, kind of. Looks like that rule contains flag definitions for
ACK and PUSH, which are only implemented in TCP's conrtol scheme,
not in UDP (which is connectionless). Since UDP is defined as the
relevant protocol, snort complains. Seems quite logical to me,
though I don't know who wrote the rules or what the intention
with these combinations was.

Hope that clarified the issue,

Jan
-- 
Radio HUNDERT,6 Medien GmbH Berlin
- EDV -
j.muenther at ...206...



More information about the Snort-users mailing list