[Snort-users] Errors in vision.conf

Christopher Cramer cec at ...68...
Mon Nov 13 12:49:11 EST 2000


My money would be on the "flags: AP" line.  Last I checked, UDP didn't
have ACK or PUSH flags.

-Chris


On Mon, 13 Nov 2000, Ron 'The InSaNe One' Rosson wrote:

> With these 2 lines in the current vision.conf from whitehats will not
> allow my snort to start.
> 
> alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS436/shellcode-x86-setuid0-udp"; flags: AP; content: "|b017 cd80|";)
> alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS437/shellcode-x86-setgid0-udp"; flags: AP; content: "|b0b5 cd80|";)
> 
> Here is the error I get:
> 
> ERROR Line /etc/snort/vision.conf (443): TCP Options on non-TCP rule
> 
> Anyone know what is causing this?
> 
> TIA
> -- 
> ------------------------------------------------------------------------------
> Ron Rosson          			      ... and a UNIX user said ...
> The InSaNe One                 			      rm -rf *
> insane at ...322...     	            and all was /dev/null and *void()
> ------------------------------------------------------------------------------
>    God could create the universe in six days because he didn't have
> 		    to make it upward compatible.
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
> 




More information about the Snort-users mailing list