[Snort-users] Errors in vision.conf

Max Vision vision at ...4...
Mon Nov 13 13:15:46 EST 2000


Yep, mistake on my part - since these two are exactly the same as the TCP
equivalents, I had copied the records and made minor changes - I forgot to
remove the TCP flags.  This is fixed now.  In your copy just remove the
"flags: AP;"

Max

On Mon, 13 Nov 2000, Ron 'The InSaNe One' Rosson wrote:

> With these 2 lines in the current vision.conf from whitehats will not
> allow my snort to start.
>
> alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS436/shellcode-x86-setuid0-udp"; flags: AP; content: "|b017 cd80|";)
> alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS437/shellcode-x86-setgid0-udp"; flags: AP; content: "|b0b5 cd80|";)
>
> Here is the error I get:
>
> ERROR Line /etc/snort/vision.conf (443): TCP Options on non-TCP rule
>
> Anyone know what is causing this?
>




More information about the Snort-users mailing list